CVE-2025-36558

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.

KUNBUS PiCtory versión 2.11.1 y anteriores son vulnerables a ataques de cross-site scripting mediante el token sso_token utilizado para la autenticación. Si un atacante proporciona al usuario una URL de PiCtory que contiene un script HTML como token sso_token, dicho script responderá al usuario y se ejecutará.