Bugsink
Monthly
Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.
Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).
Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. No public exploit code exists and no active exploitation has been identified (CISA KEV: absent, EPSS: 0.03%, 7th percentile), making this a low-urgency but architecturally meaningful information disclosure for multi-project Bugsink deployments.
Authenticated arbitrary file write in Bugsink 2.1.0 allows remote attackers to write malicious content to filesystem locations accessible by the application process through exploitation of the artifact bundle assembly flow. Attackers holding valid authentication tokens can achieve high-integrity impact and partial availability disruption by manipulating file operations. Vulnerability affects only version 2.1.0 of the self-hosted error tracking platform. No public exploit identified at time of analysis.
Stored XSS in Bugsink error tracking tool before 2.0.13 allows unauthenticated attackers to inject persistent scripts through error event submissions. PoC and patch available.
Cross-project issue state modification in Bugsink prior to 2.2.0 allows authenticated users with access to one project to alter the state of issues belonging to other projects if a valid target issue UUID is known. The bulk action endpoint authorizes based on the project in the URL but applies submitted issue IDs without verifying project membership, creating a project-boundary authorization bypass. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) reflects minimal real-world exploitation probability.
Cross-project event data exposure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read event data - including stacktraces, breadcrumbs, and raw event details - belonging to a separate, unauthorized project. The flaw (CWE-639) exists because issue event views accept a direct event UUID from the URL without verifying that the event belongs to the project in the same URL path. Exploitation is materially constrained by the requirement for both an authenticated session and prior knowledge of a valid target event UUID; no public exploit has been identified and EPSS sits at 0.03% (7th percentile).
Cross-project sourcemap and debug-file disclosure in Bugsink prior to 2.2.0 allows an authenticated user with access to one project to read source context or symbolication-derived data belonging to a separate project on the same instance. The root cause is a missing authorization scope check (CWE-862): debug IDs supplied by clients were resolved globally rather than constrained to the owning project, meaning a deliberate or accidental debug ID collision across projects leaks file metadata. No public exploit code exists and no active exploitation has been identified (CISA KEV: absent, EPSS: 0.03%, 7th percentile), making this a low-urgency but architecturally meaningful information disclosure for multi-project Bugsink deployments.
Authenticated arbitrary file write in Bugsink 2.1.0 allows remote attackers to write malicious content to filesystem locations accessible by the application process through exploitation of the artifact bundle assembly flow. Attackers holding valid authentication tokens can achieve high-integrity impact and partial availability disruption by manipulating file operations. Vulnerability affects only version 2.1.0 of the self-hosted error tracking platform. No public exploit identified at time of analysis.
Stored XSS in Bugsink error tracking tool before 2.0.13 allows unauthenticated attackers to inject persistent scripts through error event submissions. PoC and patch available.