Uber: Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees
A Business employee with the user role was able to escalate their privilege to admin using a crafted request to the https://business.uber.com/rpc?rpc=updateEmployees endpoint, as long as the employeeUuid is known...