Unauthorized Team members viewing
Unknown
Vulnerability Details
In a Team, a user that does not have an admin permission at https://hackerone.com/[team_name]/team_members can view the list of users in the Program by visiting
https://hackerone.com/[team_name]/team_members.json
Although it is only a user with an admin permission that can view the Team members and modify their permission, but other members that do not have such right can view ALL the members in the Team.
Actions
View on HackerOneReport Stats
- Report ID: 123572
- State: Closed
- Substate: informative
- Upvotes: 11