Name of the Vulnerable Software and Affected Versions Pageflow versions prior to 14.5.2 Pageflow versions prior to 15.7.1

Description The issue allows attackers to update membership objects associated with their own account to be associated with a different account, potentially compromising all accounts on the platform. This can be achieved by crafting a request to the "/admin/users/{user id}/memberships/{membership id}" endpoint with an additional membership[entity id] parameter. Since account ids are enumerable, an attacker can exploit this to access all accounts.

Recommendations For versions prior to 14.5.2, upgrade to version 14.5.2 of the pageflow gem. For versions prior to 15.7.1, upgrade to version 15.7.1 of the pageflow gem.