Prior to Nov 27, 2024, any member of a team was able to access the team's billing page, containing addresses and last 4 card digits of the team's billing admin. This has been patched, and the link is now only available for team admins.
Details
The endpoint https://www.cursor.com/api/portal-team returns a response containing a portalUrl parameter that directly links to the billing page. Prior to the Nov 27 patch, this endpoint was accessible to any member of a team, including non-admins, even though the UI on the settings page would hide the link if the user was not an admin.
Patches
A server-side patch to restrict billing access to team admins was deployed on Nov 27, on the same day of receiving the report.
Workarounds
The patch has been applied server-side, so no additional action is needed.
lohigowda Reporter
Prior to Nov 27, 2024, any member of a team was able to access the team's billing page, containing addresses and last 4 card digits of the team's billing admin. This has been patched, and the link is now only available for team admins.
Details
The endpoint https://www.cursor.com/api/portal-team returns a response containing a
portalUrlparameter that directly links to the billing page. Prior to the Nov 27 patch, this endpoint was accessible to any member of a team, including non-admins, even though the UI on the settings page would hide the link if the user was not an admin.Patches
A server-side patch to restrict billing access to team admins was deployed on Nov 27, on the same day of receiving the report.
Workarounds
The patch has been applied server-side, so no additional action is needed.