Stripe: Mass Account Takeover at https://app.taxjar.com/ - No user Interaction

@beerboy_ankit discovered an IDOR in the user invite link in Taxjar. This could have allowed an attacker to take over a user’s account. The vulnerability was caused by a leaked token in the delete invitation request feature and resolved by using the invitation ID instead of the token to look up the user’s invite when deleting an invitation. Validation was added to ensure the ID belongs to the user’s organization.