Pachno is an open-source collaboration platform (formerly known as The Bug Genie) designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public License.
Input passed via the return_to GET/POST parameter to the login endpoint is not properly verified before being used to redirect users. The _getLoginForwardUrl() helper applies htmlentities() to the value which is intended for HTML output encoding and does not validate URL schemes or hosts, and then issues a Location header with the unmodified URL. This can be exploited to redirect a user to an arbitrary external website and conduct phishing attacks.