Susen2

**Name of the Vulnerable Software and Affected Versions** Bugsink versions prior to 2.2.0 **Description** Bugsink is a self-hosted error tracking tool. A project-boundary authorization issue exists in the issue list view, which supports bulk actions such as resolving or muting selected issues. The system authorizes access based on the project specified in the URL but applies bulk actions to the submitted issue IDs without verifying that those issues belong to the authorized project. This allows an authenticated user with access to one project to modify the state of an issue in another project, provided they possess a valid target issue UUID. Because UUIDs are not easily guessable and there is no enumeration path, the risk is limited. Additionally, since the software is typically self-hosted within a single trust domain or deployed in separate instances per tenant, this does not normally result in cross-tenant access. **Recommendations** Update to version 2.2.0.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13 **Description** A low-privileged authenticated user can access editor response data, including `focalPoint`, for private assets they are not authorized to view. The `/assets/image-editor` API endpoint returns private editing metadata without proper authorization checks. The issue stems from the `actionImageEditor()` function accepting an `assetId` without validating the user's access rights to the corresponding asset before returning data such as `html` and `focalPoint`. **Recommendations** Update to Craft CMS version 4.17.8 or later. Update to Craft CMS version 5.9.14 or later.