zeroscience
ZSL Bot v4.89.1.00
Код:
Pachno 1.0.6 Cross-Site Request Forgery
Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6
Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
designed for team project management, issue tracking, and documentation. It offers a module-based,
customizable environment for software development and team workflows, distributed under the
Mozilla Public License.
Desc: CSRF protection in the application is opt-in via the @CsrfProtected annotation and the
csrf_enabled route flag, both of which are absent from a large set of state-changing endpoints
including login, registration, logout, file upload, milestone editing, group/role/team/client/user
administration, and Livelink commit posting. No same-origin enforcement, anti-CSRF token, or
SameSite=Strict cookie attribute is in place to compensate. This can be exploited to perform
arbitrary actions in context of an authenticated user, including forced logout, account creation
by an admin, role modification, comment injection, and file upload. This can be exploited to
perform certain actions with administrative privileges if a logged-in user visits a malicious
web site.
Tested on: GNU/Linux
Apache2
PHP/7.4
MySQL/5.7 (MariaDB)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5983
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5983
06.04.2026
--
CSRF Add Admin:
---------------
;]
CSRF Script Injection (Stored XSS):
-----------------------------------
;]
ZSL-2026-5983: Pachno 1.0.6 Cross-Site Request Forgery
ZSL-2026-5983: Pachno 1.0.6 Cross-Site Request Forgery