Kunbus-2025-0000001: Authentication Bypass and XSS in PiCtory
TLP: WHITE
| Publisher: KUNBUS PSIRT | Document category: csaf_security_advisory |
| Initial release date: 2025-04-01T12:30:00.000Z | Engine: csaf-cms-backend 1.0.0 |
| Current release date: 2025-05-07T11:04:49.241006553Z | Build Date: 2025-05-07T11:03:13.143Z |
| Current version: 2.1.0 | Status: final |
| CVSSv3.1 Base Score: 9.8 | Severity: Critical |
| Original language: | Language: en-US |
| Also referred to: | |
Vulnerabilities
Authentication Bypass in Revolution Pi PiCtory (CVE-2025-32011)
Summery
PiCtory has an authentication bypass vulnerability. A remote attacker can bypass the authentication to get an authenticated access due to a path traversal.
| CWE: | CWE-305:Authentication Bypass by Primary Weakness |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi pictory vers:deb/>=2.5.0 | <= 2.11.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
Fixed
- KUNBUS Revolution Pi pictory 2.12
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 04/2025
Remediations
Vendor fix (2025-03-31T10:00:00.000Z)
Update PiCtory package to version 2.12
For products:
- KUNBUS Revolution Pi pictory vers:deb/>=2.5.0 | <= 2.11.1
Acknowledgments
- Adam Bromiley from Pen Test Partners
Stored Cross-Site Scripting in Revolution Pi PiCtory (CVE-2025-35996)
Summery
An authenticated remote attacker can craft a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanatization the filename could be executed as html script tag resulting in a cross-site-scripting attack.
| CWE: | CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H | 9 |
Fixed
- KUNBUS Revolution Pi pictory 2.12
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 04/2025
Remediations
Vendor fix (2025-03-31T10:00:00.000Z)
Update PiCtory package to version 2.12
For products:
- KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1
Acknowledgments
- Adam Bromiley from Pen Test Partners
Reflected Cross-Site Scripting in PiCtory (CVE-2025-36558)
Summary
PiCtory is vulnerable to a reflected cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory url containing an html script as sso_token that script will be replyed to the user and executed.
| CWE: | CWE-97:Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|---|
Product status
Known affected
| Product | CVSS-Vector | CVSS Base Score |
|---|---|---|
| KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
Fixed
- KUNBUS Revolution Pi pictory 2.12
- KUNBUS Revolution Pi Revolution Pi OS Bookworm 04/2025
Remediations
Vendor fix (2025-03-31T10:00:00.000Z)
Update PiCtory package to version 2.12
For products:
- KUNBUS Revolution Pi PiCtory vers:deb/<=2.11.1
Acknowledgments
- Adam Bromiley from Pen Test Partners
Acknowledgments
KUNBUS PSIRT thanks the following parties for their efforts:
- Adam Bromiley from Pen Test Partners for Found and reported the vulnerabilities
KUNBUS PSIRT
Namespace: https://www.kunbus.com
product-security@kunbus.com
KUNBUS GmbH develops and produces the Revolution Pi Family, Revolution Pi OS and the extension modules for RevPi amongst others. KUNBUS PSIRT is responsible for vulnerability handling across all KUNBUS products and services.
References
- URL generated by system (self): https://psirt.kunbus.com/.well-known/csaf/white/2025/kunbus-2025-0000001.json
- CISA ICS Advisory ICSA-25-121-01 : https://www.cisa.gov/news-events/ics-advisories/icsa-25-121-01
- HTML-Version : https://www.kunbus.com/en/productsecurity/revolution-pi-authentication-bypass-and-xss-in-pictory
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1.0.0 | 2025-04-01T12:30:00.000Z | Initial Publication |
| 1.1.0 | 2025-04-01T16:44:15.032752994Z | New Version. Added Issuing authority and switched sharing rules to TLP WHITE. |
| 1.2.0 | 2025-05-05T07:30:00.000Z | Add assigned CVE Numbers |
| 2.0.0 | 2025-05-07T10:52:16.575003403Z | Added new image release that contains the fixes |
| 2.1.0 | 2025-05-07T11:04:49.241006553Z | Added HTML Version as reference |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. KUNBUS RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.