@mishre discovered a way to update an organization from a free plan to a paid team plan with any number of seats without having provided billing information. By adding the organization plan attributes to the request made when updating profile information, the organization’s plan would be changed without any billing validation. We addressed the vulnerability by passing the user-supplied parameters through a whitelist of attributes allowed for a profile update.
@mishre discovered that an organization member could set the membership visibility for other members. A user can set their organization membership to “private” if they do not want to be publicly listed as a member of an organization. However, because of a bug related to how user IDs were parsed from the request, an organization member could craft a request that would let them set the organization visibility for another member. We addressed the vulnerability by fixing the request parsing so that the existing authorization logic was enforced correctly.