Team member is able to change status for any user within the team (including owner)
November 27, 2019
|Reported at||November 22, 2019|
|Weakness||CWE 284 - Improper Access Control|
If the user gets invited to a team, the user is able to change anyone's status to PENDING, ACTIVE, DECLINED, or INACTIVE. The invited user is able to change team owner status as well and force them out of the team, this is possible no matter the malicious user's status as long as the malicious user is a part of the team, even as an inactive member.