Kunbus-2025-0000001: Authentication Bypass and XSS in PiCtory
TLP: WHITE
| Publisher: KUNBUS PSIRT | Document category: csaf_security_advisory |
| Initial release date: 2025-04-01T12:30:00.000Z | Engine: csaf-cms-backend 1.0.0 |
| Current release date: 2025-04-01T16:44:15.032752994Z | Build Date: 2025-04-01T16:42:25.504Z |
| Current version: 1.1.0 | Status: final |
| CVSSv3.1 Base Score: 9.8 | Severity: Critical |
| Original language: | Language: en-US |
| Also referred to: | |
Vulnerabilities
Authentication Bypass in Revolution Pi PiCtory
Summery
PiCtory has an authentication bypass vulnerability. A remote attacker can bypass the authentication to get an authenticated access due to a path traversal.
| CWE: | CWE-305:Authentication Bypass by Primary Weakness |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi pictory vers:deb/>=2.5.0 | <= 2.11.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
Fixed
- KUNBUS Revolution Pi pictory 2.12
Remediations
Vendor fix (2025-03-31T10:00:00.000Z)
Update PiCtory package to version 2.12
For products:
- KUNBUS Revolution Pi pictory vers:deb/>=2.5.0 | <= 2.11.1
Acknowledgments
- Adam Bromiley from Pen Test Partners
Stored Cross-Site Scripting in Revolution Pi PiCtory
Summery
An authenticated remote attacker can craft a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanatization the filename could be executed as html script tag resulting in a cross-site-scripting attack.
| CWE: | CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H | 9 |
Fixed
- KUNBUS Revolution Pi pictory 2.12
Remediations
Vendor fix (2025-03-31T10:00:00.000Z)
Update PiCtory package to version 2.12
For products:
- KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1
Acknowledgments
- Adam Bromiley from Pen Test Partners
Reflected Cross-Site Scripting in PiCtory
Summary
PiCtory is vulnerable to a reflected cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory url containing an html script as sso_token that script will be replyed to the user and executed.
| CWE: | CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
Fixed
- KUNBUS Revolution Pi pictory 2.12
Remediations
Vendor fix (2025-03-31T10:00:00.000Z)
Update PiCtory package to version 2.12
For products:
- KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1
Acknowledgments
- Adam Bromiley from Pen Test Partners
Acknowledgments
KUNBUS PSIRT thanks the following parties for their efforts:
- Adam Bromiley from Pen Test Partners for Found and reported the vulnerabilities
KUNBUS PSIRT
Namespace: https://www.kunbus.com
product-security@kunbus.com
KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi.
References
- URL generated by system (self): https://psirt.kunbus.com/.well-known/csaf/white/2025/kunbus-2025-0000001.json
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2025-04-01T12:30:00.000Z | Initial Publication |
| 1.1.0 | 2025-04-01T16:44:15.032752994Z | New Version. Added Issuing authority and switched sharing rules to TLP WHITE. |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/