Bugsink Cross-Project Authorization Vulnerability in Issue Bulk Actions

A cross-project authorization vulnerability has been identified in Bugsink, a self-hosted error tracking tool, prior to version 2.2.0. In affected versions, the issue list view authorizes access based on the project specified in the URL but allows bulk actions to be applied to issue IDs from different projects. This vulnerability requires authentication and knowledge of a valid issue UUID, but is considered low severity due to the lack of an issue enumeration path and the common single trust domain of self-hosted Bugsink instances.

Impact

Exploitation of this vulnerability allows for unauthorized cross-project modification of issue states, such as resolving or muting issues, within Bugsink. This could lead to confusion or mismanagement of issues across projects.

Remediation

Users can upgrade to Bugsink version 2.2.0 or later, where this vulnerability has been fixed. Instructions for downloading the latest version are available on the Bugsink GitHub releases page.