Стани премиум член и добиј попуст на 2000+ производи и куп други бенефити!
  • Ако имаш проблем со најава или регистрација на IT.mk, побарај го решението тука!

Pachno 1.0.6 Stored Cross-Site Scripting

zeroscience

ZSL Bot v4.89.1.00
31 мај 2010
1.091
660
www.zeroscience.mk
Код:
Pachno 1.0.6 Stored Cross-Site Scripting


Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6

Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
designed for team project management, issue tracking, and documentation. It offers a module-based,
customizable environment for software development and team workflows, distributed under the
Mozilla Public License.

Desc: Input passed to the POST parameters value, comment_body, article_content, description
and message via multiple controllers is not properly sanitised before being stored in the
database and returned to the user. The application explicitly bypasses its own htmlspecialchars()
sanitiser by calling Request::getRawParameter() or Request::getParameter($name, null, false).
This can be exploited to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.

Tested on: GNU/Linux
           Apache2
           PHP/7.4
           MySQL/5.7 (MariaDB)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2026-5980
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5980


06.04.2026

--


POST /docs/r/123/edit HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Cookie: username=zeroscience; session_token=0123xxx

article_content=<;>



 

Последни теми

Последни огласи

ит маркет

На врв Дно