CVE-2022-28802

Name of the Vulnerable Software and Affected Versions Code by Zapier versions prior to 2022-08-17

Description The issue allowed intra-account privilege escalation, including the execution of Python or JavaScript code, effectively providing a customer-controlled general-purpose virtual machine. This unintentionally granted full access to all users of a company's account, instead of enforcing role-based access control within that company's account.

Recommendations For versions prior to 2022-08-17, consider using a separate virtual machine for applications that hold credentials or other secrets that are not supposed to be shared among all employees, which would require multiple accounts to operate these independent virtual machines.