Pachno Cross-Site Request Forgery Vulnerability in Version 1.0.6

A cross-site request forgery (CSRF) vulnerability has been identified in Pachno version 1.0.6. This vulnerability allows attackers to perform arbitrary actions on behalf of authenticated users by exploiting the absence of CSRF protections on state-changing endpoints. Attackers can craft malicious requests that target various functions such as login, registration, file uploads, milestone editing, and administrative tasks. When authenticated users visit websites controlled by the attacker, these requests can force logouts, create accounts, modify roles, inject comments, or upload files.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed in the context of an authenticated user, including administrative functions if the user has such privileges.

Reproduction

The vulnerability can be reproduced by visiting an attacker-controlled website while logged into an account on Pachno 1.0.6. The website can then send crafted requests that exploit the missing CSRF protections, targeting state-changing endpoints such as login, registration, file uploads, milestone editing, and administrative functions.