Pachno is an open-source collaboration platform (formerly known as The Bug Genie) designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public License.
CSRF protection in the application is opt-in via the @CsrfProtected annotation and the csrf_enabled route flag, both of which are absent from a large set of state-changing endpoints including login, registration, logout, file upload, milestone editing, group/role/team/client/user administration, and Livelink commit posting. No same-origin enforcement, anti-CSRF token, or SameSite=Strict cookie attribute is in place to compensate. This can be exploited to perform arbitrary actions in context of an authenticated user, including forced logout, account creation by an admin, role modification, comment injection, and file upload. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.