Pachno
Monthly
Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipulating the original_username cookie in the runSwitchUser() action, enabling unauthorized access to user ID 1 (admin) session tokens and password hashes. SSVC confirms proof-of-concept exists with partial technical impact, though EPSS indicates low exploitation probability (0.07%, 22nd percentile) and no active exploitation confirmed via CISA KEV.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redirecting victims to attacker-controlled domains after login. With CVSS 7.1 (High) and EPSS 0.03% (9th percentile), exploitation requires user interaction but no authentication, making it effective for social engineering attacks. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though detailed advisories exist from ZeroScience and VulnCheck.
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.
Remote code execution in Pachno 1.0.6 allows unauthenticated attackers to achieve arbitrary code execution by exploiting unsafe deserialization of PHP objects. Attackers write malicious serialized payloads to world-writable cache files with predictable names, which are automatically unserialized during framework bootstrap before authentication occurs. EPSS indicates 0.14% probability of exploitation (33rd percentile), no active exploitation confirmed per CISA KEV, and SSVC classifies this as automatable with total technical impact.
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipulating the original_username cookie in the runSwitchUser() action, enabling unauthorized access to user ID 1 (admin) session tokens and password hashes. SSVC confirms proof-of-concept exists with partial technical impact, though EPSS indicates low exploitation probability (0.07%, 22nd percentile) and no active exploitation confirmed via CISA KEV.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read arbitrary files from the server. The vulnerability is triggered through malicious XML entities embedded in wiki table syntax and inline tags within issue descriptions, comments, or wiki articles, exploiting unsafe simplexml_load_string() calls without LIBXML_NONET protections. With CVSS 9.3 and EPSS 0.04% (14th percentile), this represents a high-severity but low-probability threat. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile endpoint due to ineffective extension filtering. The vulnerability bypasses file type restrictions, enabling attackers to place executable code in web-accessible directories. With a low attack complexity (AC:L) and requiring only low-level authentication (PR:L), this is exploitable by any user with basic credentials. EPSS probability is relatively low (0.10%, 27th percentile), and no active exploitation is confirmed via CISA KEV status, though the attack technique is well-understood and documented in public advisories.
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redirecting victims to attacker-controlled domains after login. With CVSS 7.1 (High) and EPSS 0.03% (9th percentile), exploitation requires user interaction but no authentication, making it effective for social engineering attacks. No active exploitation (CISA KEV) or public exploit code confirmed at time of analysis, though detailed advisories exist from ZeroScience and VulnCheck.
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.