CVE-2025-36558
📋 TL;DR
KUNBUS PiCtory versions 2.11.1 and earlier contain a cross-site scripting (XSS) vulnerability in the sso_token parameter used for authentication. An attacker can craft malicious URLs containing scripts in the sso_token that execute in users' browsers when they visit the URL. This affects all users of vulnerable PiCtory installations.
💻 Affected Systems
- KUNBUS PiCtory
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking, credential theft, or unauthorized actions within the PiCtory application.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some risk remains.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is technically simple once the URL is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.2 or later
Vendor Advisory: http://packages.revolutionpi.de/pool/main/p/pictory/
Restart Required: Yes
Instructions:
1. Backup current PiCtory configuration. 2. Update PiCtory using apt-get update && apt-get upgrade pictory. 3. Restart the PiCtory service or reboot the system.
🔧 Temporary Workarounds
Input Validation Filter
linuxImplement server-side validation to reject sso_token parameters containing script tags or special characters.
# Requires custom web server configuration or application modification
Content Security Policy
linuxImplement CSP headers to restrict script execution from untrusted sources.
# Add to web server config: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict network access to PiCtory web interface to trusted IPs only
- Educate users not to click untrusted PiCtory URLs and implement URL filtering
🔍 How to Verify
Check if Vulnerable:
Check PiCtory version via dpkg -l pictory or in web interface. If version ≤2.11.1, system is vulnerable.Check Version:
dpkg -l | grep pictoryVerify Fix Applied:
Confirm version is ≥2.11.2 and test sso_token parameter with test payloads like <script>alert('test')</script>.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with sso_token containing <script>, javascript:, or encoded script tags in web server logs
Network Indicators:
- Unusual outbound connections from PiCtory server after sso_token requests
SIEM Query:
web.url:*sso_token=*<script>* OR web.url:*sso_token=*javascript:*