Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3025797 by adilnbabras
Hi, team. There is a feature to Pin and Unpin comments of translations or entities, but this functionality is only available for privileged users (i.e., Project Manager). Upon checking the backend code for this functionality, I realized that any user can Pin|Unpin any comment on any translation or entity because there are no checks.
Go to https://mozilla-pontoon-staging.herokuapp.com/ and Login to your account.
Click on teams and select any language.
███
pyus3rA vulnerability was identified where an authenticated user could disable Multi-Factor Authentication (MFA) on their own account by modifying hidden account attributes through a backend API endpoint. This allowed subsequent logins without an MFA prompt, effectively bypassing the security control and increasing the risk of unauthorized access in the event of credential compromise.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3543475 by xavlimsg
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In