| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| Pilz Software PiCtory | < 2.12 |
PiCtory, a web application to configure the Pilz industrial PC IndustrialPI, has three vulnerabilities with varying degrees of severity. The first two are of critical severity and can lead to a bypass of authentication and a cross-site-scripting attack. The third vulnerability with medium severity puts PiCtory at a risk of a reflected cross-site-scripting attack.
KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.
KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.
KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.
An unauthenticated attacker can change the configuration of the PiCtory project. This can lead to unwanted behavior or a Denial of Service.
Remediation
Update the PiCtory package to version 2.12 via the 'apt' package manager. Use 'sudo apt update && sudo apt upgrade -y' to pull and install all available updates for the IndustrialPI. To check the version of the pictory package, use 'dpkg -l | grep pictory'.; Limit network access to the IndustrialPI by using a firewall or similar measures.;
CERT@VDE coordinated with Pilz GmbH & Co. KG