Improper Access Control - Generic (CWE-284)CVSS 2.5

[Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale

hackerone-reports

March 21, 2026

39 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3025797 by adilnbabras

Hi, team. There is a feature to Pin and Unpin comments of translations or entities, but this functionality is only available for privileged users (i.e., Project Manager). Upon checking the backend code for this functionality, I realized that any user can Pin|Unpin any comment on any translation or entity because there are no checks.

Steps To Reproduce:

Go to https://mozilla-pontoon-staging.herokuapp.com/ and Login to your account.
Click on teams and select any language.

███

Now, from the next window, select any project.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy