This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: KUNBUS PiCtory (v2.11.1 & older) has a **File Name Unescaped** flaw. <br>π₯ **Consequences**: Leads to **Cross-Site Scripting (XSS)**.β¦
π **Affected Vendor**: KUNBUS GmbH. <br>π¦ **Product**: Revolution Pi PiCtory. <br>π **Versions**: **2.11.1 and earlier**. If you are running an older version, you are at risk.
Q4What can hackers do? (Privileges/Data)
π» **Attacker Actions**: <br>1. Execute arbitrary **JavaScript** in the victim's browser. <br>2. Steal **session cookies** or credentials. <br>3. Perform actions on behalf of the user. <br>4.β¦
π« **Public Exploit**: **No**. The `pocs` field is empty. <br>π’ **Wild Exploitation**: Currently **Low**. No known public Proof-of-Concept (PoC) or widespread automated attacks detected yet.β¦
π **Self-Check**: <br>1. Check your PiCtory version. Is it **β€ 2.11.1**? <br>2. Inspect network traffic for unsanitized file names in HTML responses. <br>3.β¦
π§ **No Patch Workaround**: <br>1. **Restrict Access**: Limit access to PiCtory to trusted internal networks only. <br>2. **Input Validation**: If possible, enforce strict file naming conventions on the server side.β¦
π₯ **Urgency**: **High Priority**. <br>π **Published**: May 1, 2025. <br>β‘ **Reason**: CVSS Score is **High** (likely 8.0+ based on vector). It affects industrial control systems (ICS).β¦