Team member is able to change status for any user within the team (including owner)

State Resolved
November 27, 2019
Issue ID XkweKLSlO
Asset Web application
Bounty $1,000
Reported at November 22, 2019
Reporter Undisclosed
Severity High
Visibility Limited
Weakness CWE 284 - Improper Access Control

DESCRIPTION

If the user gets invited to a team, the user is able to change anyone's status to PENDING, ACTIVE, DECLINED, or INACTIVE. The invited user is able to change team owner status as well and force them out of the team, this is possible no matter the malicious user's status as long as the malicious user is a part of the team, even as an inactive member.


The rest of the report is undisclosed.