2 matches found
GHSA-W388-2392-PX73 praisonai-platform: Missing authorization on member removal enables full workspace takeover by any user regardless of role
Summary Type: Authorization bypass enabling owner lockout. The DELETE /workspaces/workspaceid/members/userid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can remove any other member, including the workspace owner, using a single DELETE. There is...
Yelp: Privilege Escalation - A Low Privilege User who does not have access to the user management module can remove the owner of the business account
The owner of the business account was removed by a low-privilege user who did not have access to the user management module...