Admin privilege escalation security bug

Issue #6629 resolved
Miles Burton created an issue


I believe it's possible to gain admin access to any account which hasn't got a 'premium' subscription.

Fairly simple really, generate a invoice link to upgrade their account. The email addresses you provide automatically gain admin access to the associated account without any authorisation from the origin account.

While it leaves a fairly good audit trail (unless you're using a stolen CC) it should allow you to escalate rights on any account.

Hopefully I'm wrong

Comments (4)

  1. Erik van Zijst

    I don't think I follow. What do you mean by not being on a "premium subscription"? Someone on the free plan?

    And what invoice link do you mean? Which email address gets authorized? Maybe you can provide an actual example?

    If you'd rather keep this private, feel free to email and mention my name so I can take it up from there.

  2. Log in to comment