User can remove any member from the workspace

State Resolved
October 3, 2019
Issue ID wuBFxj_hh
Asset Web application
Bounty $500
Reported at October 1, 2019
Reporter Undisclosed
Severity Medium
Visibility Limited
Weakness CWE 284 - Improper Access Control

Description

A regular user can remove the target user from any workspace the target user is a member of, even if they are not in the same workspace at all. The third user who is not part of the same workspace as the target user successfully could remove the target user from the workspace where the target user was a regular member.


The rest of the report is undisclosed.