Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to ta…

Shopper headless e-commerce admin panel contains two critical authorization defects in team settings that allow authenticated users to take over the RBAC system. The vulnerabilities enable privilege escalation from low-privilege user to full administrator through missing authorization checks in Settings/Team/Index and improper permission gating in Settings/Team/RolePermission. Attackers can create roles, delete administrators, and grant arbitrary permissions. The vulnerabilities affect versions prior to 2.8.0 and have been patched in version 2.8.0.