@akashhamal0x01 discovered an Organization Owner could update the email address of a member of their organization in TaxJar. This could have allowed an attacker to take over a victim’s account if the victim belonged to the attacker’s organization. The vulnerability was caused by the ability to edit another member’s email address and was resolved by restricting Organization Owners from editing a member’s email address.
A misconfiguration was found by which other users mail can be changed resulting in account takeover!