In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade pageflow
to version 14.5.2, 15.7.1 or higher.
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via a crafted request sent to the /admin/users/{user_id}/memberships/{membership_id}
endpoint containing an additional membership[entity_id]
parameter. This will allow an attacker to update the membership object associated with their account (with manager role) to be associated with a different attacker-chosen account instead. Since account_ids are enumerable, an attacker can compromise all accounts present on the platform.