I think I have found a security issue .
Inviting a person to Project who has an expired account can participate in project activity via email address , Which is against Mavenlink's business policy , As after an account has been expired after trial period they need to buy a plan to access all the features .
As we know on signing up , Mavenlink Offers a Trial account of a limited period , where users can check out all the features and gets a basic understanding how Mavenlink works . However after the trial period is over for a free account , Upon logging in to the actors account he gets a message like this and it's not possible to access anything at all as this comes every time .
So , If user does not chooses a plan he actually can not access this account now , Trying to navigate to any section brings to
Where Mavenlink prompts user to select a plan to continue using the features of the application . However If someone creates a project and invites the expired account holder , he receives and email that he has been invited to the project . when he tries to open it he can not access this as I have mentioned the application lands to the same page and prompts to buy a plan . however if the expired account owner replies the email , a comment is placed at the project . particularly when any post is made on the project timeline that expired account holder receives an email , and replying that email he can participate in the conversation without any problem . wheres if the expired account holder tries to access the project with direct link he can not and land on the same page again where he needs to choose a plan to move forward with Mavenlink .
So , an actor can post comment/ participate in conversations via email when he actually does not have access to that due to Mavenlink's business policy via the application . Which seems the actor is getting more access / privilege more than he should get , and that is why I belief this is a security issue .
The user is getting the privilege to participate in a project what he could have after selecting a paid plan , he can make comments by simply replying the email he received , unethical actors may take advantage of this current behavior which will eventually affect Mavenlink financially . As the user can perform this action without selecting a paid plan .
I am attaching a video demonstration . Hope you will investigate this and get back with an update ,