Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to ta…

Two authorization defects in Shopper headless e-commerce admin panel prior to version 2.8.0 allowed authenticated users to take over the RBAC system. The first defect in Settings/Team/Index had no mount() authorization, allowing any authenticated user to create roles and delete users including administrators. The second defect in Settings/Team/RolePermission allowed users with view_users permission to grant themselves arbitrary permissions. Combined, these vulnerabilities enable privilege escalation from low-privilege authenticated user to full administrator and removal of legitimate administrators. The vulnerability is fixed in version 2.8.0.