Mozilla: User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon

A vulnerability was discovered in the Mozilla Pontoon application that allowed users to delete other users' personal access tokens at the /delete-token/tokenid/ endpoint without proper permission checks. The vulnerability was caused by the absence of user permission verification in the deletetoke...

Mozilla: [Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale

A vulnerability was discovered in the Pontoon application where any user could pin or unpin comments on any project or locale, despite lacking the necessary privileges. This was possible due to the lack of proper access controls in the backend code handling the pin and unpin functionality...

Mozilla: [Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/]

A vulnerability was discovered in the Pontoon web application where any logged-in user could unapprove any approved translation, regardless of their privileges. This was due to a logical error in the validation logic, which allowed bypassing the authorization check. The vulnerability could be...