Adam Bromiley

**Name of the Vulnerable Software and Affected Versions** KUNBUS Revolution Pi OS Bookworm 01/2025 **Description** The issue arises because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server, where they can run arbitrary commands on the underlying operating system. **Recommendations** For KUNBUS Revolution Pi OS Bookworm 01/2025, configure authentication for the Node-RED server to prevent unauthenticated access.

**Name of the Vulnerable Software and Affected Versions** KUNBUS PiCtory versions 2.5.0 through 2.11.1 **Description** The issue allows a remote attacker to bypass authentication and gain access due to a path traversal vulnerability. This enables unauthorized access, potentially leading to further exploitation. **Recommendations** For versions 2.5.0 through 2.11.1, update to a version that includes a fix for the authentication bypass vulnerability. As a temporary workaround, consider restricting access to sensitive areas of the system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KUNBUS PiCtory versions 2.11.1 and earlier **Description** The issue arises when an authenticated remote attacker crafts a special filename that can be stored by API endpoints, which is later transmitted to the client to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as an HTML script tag, resulting in a cross-site-scripting attack. **Recommendations** For KUNBUS PiCtory versions 2.11.1 and earlier, consider implementing proper sanitization or escape mechanisms for filenames stored by API endpoints to prevent cross-site-scripting attacks. As a temporary workaround, restrict access to API endpoints that handle filename storage and transmission to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KUNBUS PiCtory versions 2.11.1 and earlier **Description** The issue allows for cross-site scripting attacks via the `sso token` used for authentication. If an attacker provides a user with a KUNBUS PiCtory URL containing an HTML script as an `sso token`, the script will respond to the user and be executed. **Recommendations** For KUNBUS PiCtory versions 2.11.1 and earlier, consider disabling the use of the `sso token` for authentication until a patch is available. Restrict access to URLs that contain HTML scripts as `sso token` to minimize the risk of exploitation. Avoid using the `sso token` parameter in affected URLs until the issue is resolved.