Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3025797 by adilnbabras
Hi, team. There is a feature to Pin and Unpin comments of translations or entities, but this functionality is only available for privileged users (i.e., Project Manager). Upon checking the backend code for this functionality, I realized that any user can Pin|Unpin any comment on any translation or entity because there are no checks.
Go to https://mozilla-pontoon-staging.herokuapp.com/ and Login to your account.
Click on teams and select any language.
███
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3378540 by theokeen
heroxo9868After an initial 2FA bypass vulnerability was “fixed” by removing the isVerifyAuth cookie from local storage, the application still trusted this value if it existed.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3370430 by hossam25
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In