resolved
Unauthorized Password Reset Allows Account Takeover Across Tenant Boundaries
Bug reported by David was disclosed at November 7, 2025, 9:33 am |
An authorization issue was discovered in the application that allowed a tenant admin to change the password of another user within the same tenant, including invited agency accounts. The victim had to first accept the invitation before the attacker could proceed. The issue could allow unintended account access within a shared tenant environment, but multi-factor authentication successfully prevented logins when enabled. The issue was reported to the vendor and addressed to ensure stricter access controls for user credential changes.
resolved
Low-privileged user can enable or disable Lovable AI for new projects in workspace
Bug reported by antonio was disclosed at November 7, 2025, 3:52 am | Improper Authorization
A vulnerability was discovered that allowed low-privileged users to enable or disable Lovable AI for new projects in a workspace. The vulnerability was caused by improper authorization, which enabled low-privileged users to modify the Lovable AI settings by replaying certain API endpoints.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
