Description : Viewer(Read only user ) of any entity(Ex: Address book, Folder etc.) doesn't have access to permission section. This user can't make any action in permission/Invite people section. But Resending invitation HTTP request is vulnerable and it doesn't check whether the user is Owner or not.
Working Entities : Address books, Calendar folders, task folders drives etc.
Vulnerable HTTP request :
If any Read only user send this request to server , it will be accepted and invitation link will be sent to member.
Issue : Only Owner of the folder is able to make this action but this is possible by View(Read user) of folder.
Let me know if you require Video POC or any steps to reproduce this issue.
Best Regards ! Vijay Kumar