Pachno is an open-source collaboration platform (formerly known as The Bug Genie) designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public License.
Input passed to the POST parameters value, comment_body, article_content, description and message via multiple controllers is not properly sanitised before being stored in the database and returned to the user. The application explicitly bypasses its own htmlspecialchars() sanitiser by calling Request::getRawParameter() or Request::getParameter($name, null, false). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.