Cross-Site Scripting Vulnerability in KUNBUS PiCtory
CVE-2025-36558

5.1MEDIUM

Key Information:

Vendor: Kunbus Gmbh
Status: Revolution Pi Pictory
Vendor: CVE Published:; 1 May 2025

🔔 Create Kunbus Gmbh Vulnerability Alert

What is CVE-2025-36558?

KUNBUS PiCtory versions up to 2.11.1 are susceptible to cross-site scripting attacks due to improper handling of the sso_token during authentication. An attacker might exploit this vulnerability by crafting a malicious URL containing HTML script code within the sso_token. When this URL is accessed by a user, the embedded script could execute, leading to potential security breaches and unauthorized data access. It's imperative for users to ensure they are using an updated version of PiCtory to mitigate this risk.

Affected Version(s)

Revolution Pi PiCtory 0 <= 2.11.1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

http://packages.revolutionpi.de/pool/main/p/pictory/

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 17, 2025

Credit

Adam Bromiley of Pen Test Partners reported these vulnerabilities to CISA.