...
promotion of a volunteer to Admin or OrgAdmin
promotion of a volunteer to OP or AP roles. ( i.e. membership of an OP/AP org)
creation of an organisation except by invitation or admin access.
membership of a person to an organisation except through invitation or OrgAdmin
listing of all people in the system - names and emails.
access to the phone number of a person except where an interest or membership relationship exists.
modification of another person’s profile
impersonation of another person
any direct database listing
shell on a server container
listing of env vars from a server container
access to any secrets - AWS API key, MONGODB credentials etc.
issuing an unwarranted badge or assigning a badge to another person
access to members, interests, activities and any other non-public information by a non signed-in person
access to any /admin page by non-admin person
modification of any web page.
spoofing of sign in.
execution of malicious javascript on client browser entered by another person on the site.
listing, access or modification of the S3 store holding people’s uploaded images