Improper Access Control - Generic (CWE-284)CVSS 6.5Medium

[Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/]

hackerone-reports

April 11, 2026

21 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3020021 by adilnbabras

Hi, team. During testing, I discovered that only privileged users or translation owners can unapprove an approved translation, but due to logical errors, any logged-in user can unapprove any approved translation.

Steps To Reproduce:

Go to https://mozilla-pontoon-staging.herokuapp.com/ and log in to your account.
Click on Teams and select any team from the menu.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign In Register

Related Writeups

pyus3r

Improper Access Control on www.target.example through /services/formcampaign via header "option" leads to unauthenticated read/write on the production marketing-campaign database

An unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.

Read Writeup →

hackerone-reports

POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)

HackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops

Read Writeup →

gpk21

LogicalBreach Academy