No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal

## Summary: Hi team, When you have a team account, you can invite users to your team from https://app.crowdsignal.com/users/list-users.php If you invite a user, you will see this : {F893386} As you can see, there is confirmation link and we can see it from our dashboard. And if you invite existing email in website, you can see the confirmation link again. And in this link, there is no e-mail check, when you click to confirmation link, you will log-in to victim's account without any error, credentials. ## Steps To Reproduce: 1. Go to https://app.crowdsignal.com/users/list-users.php with your team account 1. Invite an existing email (write victim's email) 1. And click to confirmation link with your account 1. You will log-in to victim's account directly ## PoC video : {F893388} ## Impact Account Takeover without user interaction Thanks, Bugra