PPSA-2025-001
Vulnerability from csaf_pilzgmbhcokg - Published: 2025-06-30 10:00 - Updated: 2025-06-30 10:00Summary
Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory
Severity
Critical
Notes
Summary: PiCtory, a web application to configure the Pilz industrial PC IndustrialPI, has three vulnerabilities with varying degrees of severity. The first two are of critical severity and can lead to a bypass of authentication and a cross-site-scripting attack. The third vulnerability with medium severity puts PiCtory at a risk of a reflected cross-site-scripting attack.
Impact: An unauthenticated attacker can change the configuration of the PiCtory project. This can lead to unwanted behavior or a Denial of Service.
Remediation: Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;
KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.
9.8 (Critical)
Vendor Fix
Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.
Mitigation
Limit network access to the IndustrialPI by using a firewall or similar measures.
KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.
9 (Critical)
Vendor Fix
Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.
Mitigation
Limit network access to the IndustrialPI by using a firewall or similar measures.
KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.
6.1 (Medium)
Vendor Fix
Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.
Mitigation
Limit network access to the IndustrialPI by using a firewall or similar measures.
References
| URL | Category | |
|---|---|---|
Acknowledgments
CERT@VDE
certvde.com
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "PiCtory, a web application to configure the Pilz industrial PC IndustrialPI, has three vulnerabilities with varying degrees of severity. The first two are of critical severity and can lead to a bypass of authentication and a cross-site-scripting attack. The third vulnerability with medium severity puts PiCtory at a risk of a reflected cross-site-scripting attack.",
"title": "Summary"
},
{
"category": "description",
"text": "An unauthenticated attacker can change the configuration of the PiCtory project. This can lead to unwanted behavior or a Denial of Service.",
"title": "Impact"
},
{
"category": "description",
"text": "Update the PiCtory package to version 2.12 via the \u0027apt\u0027 package manager. Use \u0027sudo apt update \u0026\u0026 sudo apt upgrade -y\u0027 to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use \u0027dpkg -l | grep pictory\u0027.; Limit network access to the IndustrialPI by using a firewall or similar measures.; ",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "security@pilz.com",
"name": "Pilz GmbH \u0026 Co. KG",
"namespace": "https://www.pilz.com"
},
"references": [
{
"category": "external",
"summary": "For further security-related issues in Pilz products please contact the Pilz Product Security Incident Response Team (PSIRT)",
"url": "https://www.pilz.com/security"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for Pilz GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/pilz/"
},
{
"category": "self",
"summary": "PPSA-2025-001: Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory - HTML",
"url": "https://certvde.com/en/advisories/PPSA-2025-001/"
},
{
"category": "self",
"summary": "PPSA-2025-001: Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory - CSAF",
"url": "https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2025/ppsa-2025-001.json"
}
],
"title": "Pilz: Authentication Bypass and Cross-Site-Scripting in PiCtory",
"tracking": {
"aliases": [
"VDE-2025-046",
"PPSA-2025-001"
],
"current_release_date": "2025-06-30T10:00:00.000Z",
"generator": {
"date": "2025-06-24T10:07:02.640Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.26"
}
},
"id": "PPSA-2025-001",
"initial_release_date": "2025-06-30T10:00:00.000Z",
"revision_history": [
{
"date": "2025-06-30T10:00:00.000Z",
"number": "1",
"summary": "Initial Version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IndustrialPI 4",
"product": {
"name": "Pilz Hardware IndustrialPI 4",
"product_id": "CSAFPID-11000",
"product_identification_helper": {
"model_numbers": [
"A1000002",
"A1000003"
]
}
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2024-08",
"product": {
"name": "Pilz Firmware Bullseye \u003c=2024-08",
"product_id": "CSAFPID-21000"
}
}
],
"category": "product_name",
"name": "Bullseye"
}
],
"category": "product_family",
"name": "Firmware"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c2.12",
"product": {
"name": "Pilz Software PiCtory \u003c2.12",
"product_id": "CSAFPID-51000"
}
},
{
"category": "product_version",
"name": "2.12",
"product": {
"name": "Pilz Software PiCtory 2.12",
"product_id": "CSAFPID-52000"
}
}
],
"category": "product_name",
"name": "PiCtory"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Pilz"
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Pilz Firmware Bullseye \u003c=2024-08 installed on Pilz Hardware IndustrialPI 4",
"product_id": "CSAFPID-31000"
},
"product_reference": "CSAFPID-21000",
"relates_to_product_reference": "CSAFPID-11000"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Pilz Software PiCtory \u003c2.12 installed on (Pilz Firmware Bullseye \u003c=2024-08 installed on Pilz Hardware IndustrialPI 4)",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-51000",
"relates_to_product_reference": "CSAFPID-31000"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Pilz Software PiCtory 2.12 installed on (Pilz Firmware Bullseye \u003c=2024-08 installed on Pilz Hardware IndustrialPI 4)",
"product_id": "CSAFPID-32000"
},
"product_reference": "CSAFPID-52000",
"relates_to_product_reference": "CSAFPID-31000"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-32011",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"notes": [
{
"category": "description",
"text": "KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-32000"
],
"known_affected": [
"CSAFPID-31001"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update the PiCtory package to version 2.12 via the \u0027apt\u0027 package manager. Use \u0027sudo apt update \u0026\u0026 sudo apt upgrade -y\u0027 to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use \u0027dpkg -l | grep pictory\u0027.",
"product_ids": [
"CSAFPID-31001"
]
},
{
"category": "mitigation",
"details": "Limit network access to the IndustrialPI by using a firewall or similar measures.",
"product_ids": [
"CSAFPID-31001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "UNCHANGED",
"modifiedUserInteraction": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001"
]
}
],
"title": "CVE-2025-32011"
},
{
"cve": "CVE-2025-35996",
"cwe": {
"id": "CWE-97",
"name": "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page"
},
"notes": [
{
"category": "description",
"text": "KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-32000"
],
"known_affected": [
"CSAFPID-31001"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update the PiCtory package to version 2.12 via the \u0027apt\u0027 package manager. Use \u0027sudo apt update \u0026\u0026 sudo apt upgrade -y\u0027 to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use \u0027dpkg -l | grep pictory\u0027.",
"product_ids": [
"CSAFPID-31001"
]
},
{
"category": "mitigation",
"details": "Limit network access to the IndustrialPI by using a firewall or similar measures.",
"product_ids": [
"CSAFPID-31001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "HIGH",
"modifiedConfidentialityImpact": "HIGH",
"modifiedIntegrityImpact": "HIGH",
"modifiedPrivilegesRequired": "LOW",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"temporalScore": 9,
"temporalSeverity": "CRITICAL",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001"
]
}
],
"title": "CVE-2025-35996"
},
{
"cve": "CVE-2025-36558",
"cwe": {
"id": "CWE-97",
"name": "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page"
},
"notes": [
{
"category": "description",
"text": "KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.",
"title": "Summary"
}
],
"product_status": {
"fixed": [
"CSAFPID-32000"
],
"known_affected": [
"CSAFPID-31001"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Update the PiCtory package to version 2.12 via the \u0027apt\u0027 package manager. Use \u0027sudo apt update \u0026\u0026 sudo apt upgrade -y\u0027 to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use \u0027dpkg -l | grep pictory\u0027.",
"product_ids": [
"CSAFPID-31001"
]
},
{
"category": "mitigation",
"details": "Limit network access to the IndustrialPI by using a firewall or similar measures.",
"product_ids": [
"CSAFPID-31001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalScore": 6.1,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"modifiedAttackComplexity": "LOW",
"modifiedAttackVector": "NETWORK",
"modifiedAvailabilityImpact": "NONE",
"modifiedConfidentialityImpact": "LOW",
"modifiedIntegrityImpact": "LOW",
"modifiedPrivilegesRequired": "NONE",
"modifiedScope": "CHANGED",
"modifiedUserInteraction": "REQUIRED",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"temporalScore": 6.1,
"temporalSeverity": "MEDIUM",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001"
]
}
],
"title": "CVE-2025-36558"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…