Search criteria
45 vulnerabilities found for pi_vision by osisoft
FKIE_CVE-2020-25167
Vulnerability from fkie_nvd - Published: 2022-04-18 17:15 - Updated: 2024-11-21 05:17
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5963B0F-AD5A-48E5-BEE9-745FCF8FF379",
"versionEndExcluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
},
{
"lang": "es",
"value": "OSIsoft PI Vision 2020 versiones anteriores a 3.5.0, pod\u00edan divulgar informaci\u00f3n a un usuario con privilegios insuficientes para un atributo AF"
}
],
"id": "CVE-2020-25167",
"lastModified": "2024-11-21T05:17:31.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-18T17:15:12.300",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2020-25163
Vulnerability from fkie_nvd - Published: 2022-04-18 17:15 - Updated: 2024-11-21 05:17
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D871A52C-B847-408D-8C8C-1D4589C0A6F8",
"versionEndExcluding": "2020",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
},
{
"lang": "es",
"value": "Un atacante remoto con acceso de escritura a los archivos PI ProcessBook podr\u00eda inyectar c\u00f3digo importado en OSIsoft PI Vision 2020 versiones anteriores a 3.5.0. Tambi\u00e9n es posible la divulgaci\u00f3n, modificaci\u00f3n o eliminaci\u00f3n de informaci\u00f3n no autorizada si una v\u00edctima visualiza o interact\u00faa con la pantalla infectada. Esta vulnerabilidad afecta a los datos del Sistema PI y a otros datos accesibles con los permisos de usuario de la v\u00edctima"
}
],
"id": "CVE-2020-25163",
"lastModified": "2024-11-21T05:17:31.017",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 5.8,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-18T17:15:12.230",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-43553
Vulnerability from fkie_nvd - Published: 2021-11-17 19:15 - Updated: 2024-11-21 06:29
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804EDFF4-28CE-4FF1-9A02-DF47A77255E1",
"versionEndExcluding": "2021",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
},
{
"lang": "es",
"value": "PI Vision podr\u00eda revelar informaci\u00f3n a un usuario con privilegios insuficientes para un atributo de AF que es hijo de otro atributo y est\u00e1 configurado como una propiedad de L\u00edmites"
}
],
"id": "CVE-2021-43553",
"lastModified": "2024-11-21T06:29:25.290",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-17T19:15:09.160",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-43551
Vulnerability from fkie_nvd - Published: 2021-11-17 19:15 - Updated: 2024-11-21 06:29
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "804EDFF4-28CE-4FF1-9A02-DF47A77255E1",
"versionEndExcluding": "2021",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
},
{
"lang": "es",
"value": "Un atacante remoto con acceso de escritura a PI Vision podr\u00eda inyectar c\u00f3digo en una pantalla. La divulgaci\u00f3n, modificaci\u00f3n o eliminaci\u00f3n de informaci\u00f3n no autorizada es posible si una v\u00edctima ve o interact\u00faa con la pantalla infectada usando Microsoft Internet Explorer. El impacto afecta a los datos del Sistema PI y otros datos accesibles con los permisos de usuario de la v\u00edctima"
}
],
"id": "CVE-2021-43551",
"lastModified": "2024-11-21T06:29:24.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 4.7,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-17T19:15:09.100",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-10643
Vulnerability from fkie_nvd - Published: 2020-07-27 22:15 - Updated: 2024-11-21 04:55
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:2019:*:*:*:*:*:*:*",
"matchCriteriaId": "35991BD2-CA3C-4A5C-B3C3-CB4DA09177AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
},
{
"lang": "es",
"value": "Un atacante remoto autenticado podr\u00eda usar unas URL especialmente dise\u00f1adas para enviar a una v\u00edctima que usa PI Vision 2019 mobile a una p\u00e1gina web vulnerable debido a un problema conocido en un componente de terceros"
}
],
"id": "CVE-2020-10643",
"lastModified": "2024-11-21T04:55:45.643",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-27T22:15:12.077",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-10614
Vulnerability from fkie_nvd - Published: 2020-07-25 00:15 - Updated: 2024-11-21 04:55
Severity ?
Summary
In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A49C22-9197-4D0E-8E46-E87A6E997975",
"versionEndIncluding": "2019",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
},
{
"lang": "es",
"value": "En m\u00faltiples productos y versiones de OSIsoft PI System, un atacante autenticado remoto con acceso de escritura a las bases de datos de PI Vision podr\u00eda inyectar c\u00f3digo en una pantalla. La divulgaci\u00f3n, eliminaci\u00f3n o modificaci\u00f3n de informaci\u00f3n no autorizada es posible si una v\u00edctima visualiza la pantalla infectada"
}
],
"id": "CVE-2020-10614",
"lastModified": "2024-11-21T04:55:42.120",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-25T00:15:12.127",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-18273
Vulnerability from fkie_nvd - Published: 2020-01-15 19:15 - Updated: 2024-11-21 04:32
Severity ?
Summary
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-20-014-06 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-20-014-06 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:2017:r2:*:*:*:*:*:*",
"matchCriteriaId": "54E097BD-B6A5-4153-BC11-268AF90588A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:2017:r2_sp1:*:*:*:*:*:*",
"matchCriteriaId": "5AFCB5FE-888E-4033-AB60-08DC2DACCC05",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
},
{
"lang": "es",
"value": "OSIsoft PI Vision, PI Vision versi\u00f3n 2017 R2 y PI Vision versi\u00f3n 2017 R2 SP1. El producto afectado es vulnerable a un ataque de tipo cross-site scripting, lo que puede permitir una entrada no v\u00e1lida a ser introducida."
}
],
"id": "CVE-2019-18273",
"lastModified": "2024-11-21T04:32:56.993",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T19:15:13.643",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-18271
Vulnerability from fkie_nvd - Published: 2020-01-15 19:15 - Updated: 2024-11-21 04:32
Severity ?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-20-014-06 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-20-014-06 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3112408C-9A01-45A9-B41C-233737700333",
"versionEndExcluding": "2019",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
},
{
"lang": "es",
"value": "OSIsoft PI Vision, todas las versiones de PI Vision anteriores a 2019. El producto afectado es vulnerable a un ataque de tipo cross-site request forgery que puede ser introducido en el sitio de administraci\u00f3n de PI Vision."
}
],
"id": "CVE-2019-18271",
"lastModified": "2024-11-21T04:32:56.873",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T19:15:13.550",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-18244
Vulnerability from fkie_nvd - Published: 2020-01-15 19:15 - Updated: 2024-11-21 04:32
Severity ?
Summary
In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:2017:r2:*:*:*:*:*:*",
"matchCriteriaId": "54E097BD-B6A5-4153-BC11-268AF90588A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:2017:r2_sp1:*:*:*:*:*:*",
"matchCriteriaId": "5AFCB5FE-888E-4033-AB60-08DC2DACCC05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:2019:*:*:*:*:*:*:*",
"matchCriteriaId": "35991BD2-CA3C-4A5C-B3C3-CB4DA09177AC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
},
{
"lang": "es",
"value": "En OSIsoft PI System m\u00faltiples productos y versiones, un atacante local podr\u00eda ver informaci\u00f3n sensible en archivos de registro cuando las cuentas de servicio se personalizan durante la instalaci\u00f3n o actualizaci\u00f3n de PI Vision. La actualizaci\u00f3n corrige un problema previamente reportado"
}
],
"id": "CVE-2019-18244",
"lastModified": "2024-11-21T04:32:54.597",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 1.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T19:15:13.440",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-18275
Vulnerability from fkie_nvd - Published: 2020-01-15 19:15 - Updated: 2024-11-21 04:32
Severity ?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes.
References
| URL | Tags | ||
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-20-014-06 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-20-014-06 | Third Party Advisory, US Government Resource |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3112408C-9A01-45A9-B41C-233737700333",
"versionEndExcluding": "2019",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
},
{
"lang": "es",
"value": "OSIsoft PI Vision, todas las versiones de PI Vision anteriores a 2019. El producto afectado es vulnerable a un control de acceso inapropiado, lo que puede devolver datos de etiqueta no autorizados cuando se visualizan los atributos de referencia de datos de an\u00e1lisis."
}
],
"id": "CVE-2019-18275",
"lastModified": "2024-11-21T04:32:57.107",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-15T19:15:13.737",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-25167 (GCVE-0-2020-25167)
Vulnerability from cvelistv5 – Published: 2022-04-18 16:20 – Updated: 2025-04-16 16:29
VLAI?
Title
OSIsoft PI Vision Incorrect Authorization
Summary
OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
OSIsoft reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:54:04.855314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:29:22.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2020",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:20:46.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"solutions": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OSIsoft PI Vision Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25167",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision Incorrect Authorization"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2020"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25167",
"datePublished": "2022-04-18T16:20:46.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:29:22.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25163 (GCVE-0-2020-25163)
Vulnerability from cvelistv5 – Published: 2022-04-18 16:20 – Updated: 2025-04-16 17:55
VLAI?
Title
OSIsoft PI Vision Cross-site Scripting
Summary
A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.
Severity ?
7.7 (High)
CWE
- CWE-79 - Cross-site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
OSIsoft reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:09.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T17:29:40.461576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T17:55:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2020",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:20:45.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"solutions": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OSIsoft PI Vision Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25163",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision Cross-site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2020"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25163",
"datePublished": "2022-04-18T16:20:45.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T17:55:26.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43553 (GCVE-0-2021-43553)
Vulnerability from cvelistv5 – Published: 2021-11-17 18:20 – Updated: 2024-09-16 19:46
VLAI?
Title
OSIsoft PI Vision
Summary
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:06.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2021",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T18:20:51",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Vision",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43553",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2021"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43553",
"datePublished": "2021-11-17T18:20:51.041571Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T19:46:25.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43551 (GCVE-0-2021-43551)
Vulnerability from cvelistv5 – Published: 2021-11-17 18:19 – Updated: 2024-09-16 23:16
VLAI?
Title
OSIsoft PI Vision
Summary
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:06.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2021",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-30T20:07:00",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Vision",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43551",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2021"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43551",
"datePublished": "2021-11-17T18:19:44.773827Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T23:16:08.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10643 (GCVE-0-2020-10643)
Vulnerability from cvelistv5 – Published: 2020-07-27 21:20 – Updated: 2024-09-16 23:51
VLAI?
Title
OSIsoft PI System
Summary
An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2019",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"datePublic": "2020-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T21:20:54",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Limit write access to PI Vision displays to trusted users."
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
},
"title": "OSIsoft PI System",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-06-09T00:00:00.000Z",
"ID": "CVE-2020-10643",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI System"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2019"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Limit write access to PI Vision displays to trusted users."
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10643",
"datePublished": "2020-07-27T21:20:54.980119Z",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-09-16T23:51:08.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10614 (GCVE-0-2020-10614)
Vulnerability from cvelistv5 – Published: 2020-07-24 23:43 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:43:05",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10614",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10614",
"datePublished": "2020-07-24T23:43:05",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:10.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18244 (GCVE-0-2019-18244)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:50 – Updated: 2024-08-05 01:47
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.
Severity ?
No CVSS data available.
CWE
- CWE-532 - INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:38:45",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18244",
"datePublished": "2020-01-15T18:50:00",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18273 (GCVE-0-2019-18273)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:44 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
PI Vision 2017 R2 and PI Vision 2017 R2 SP1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PI Vision 2017 R2 and PI Vision 2017 R2 SP1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:44:13",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "PI Vision 2017 R2 and PI Vision 2017 R2 SP1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18273",
"datePublished": "2020-01-15T18:44:13",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18271 (GCVE-0-2019-18271)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:40 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site.
Severity ?
No CVSS data available.
CWE
- CWE-352 - CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
All versions of PI Vision prior to 2019
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions of PI Vision prior to 2019"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:40:25",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18271",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "All versions of PI Vision prior to 2019"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18271",
"datePublished": "2020-01-15T18:40:25",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18275 (GCVE-0-2019-18275)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:36 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes.
Severity ?
No CVSS data available.
CWE
- CWE-284 - IMPROPER ACCESS CONTROL CWE-284
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
All versions of PI Vision prior to 2019
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions of PI Vision prior to 2019"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "IMPROPER ACCESS CONTROL CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:36:52",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "All versions of PI Vision prior to 2019"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER ACCESS CONTROL CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18275",
"datePublished": "2020-01-15T18:36:52",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25167 (GCVE-0-2020-25167)
Vulnerability from nvd – Published: 2022-04-18 16:20 – Updated: 2025-04-16 16:29
VLAI?
Title
OSIsoft PI Vision Incorrect Authorization
Summary
OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
OSIsoft reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:54:04.855314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:29:22.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2020",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:20:46.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"solutions": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OSIsoft PI Vision Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25167",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision Incorrect Authorization"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2020"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25167",
"datePublished": "2022-04-18T16:20:46.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:29:22.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25163 (GCVE-0-2020-25163)
Vulnerability from nvd – Published: 2022-04-18 16:20 – Updated: 2025-04-16 17:55
VLAI?
Title
OSIsoft PI Vision Cross-site Scripting
Summary
A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.
Severity ?
7.7 (High)
CWE
- CWE-79 - Cross-site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
OSIsoft reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:09.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T17:29:40.461576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T17:55:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2020",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:20:45.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"solutions": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OSIsoft PI Vision Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25163",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision Cross-site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2020"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25163",
"datePublished": "2022-04-18T16:20:45.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T17:55:26.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43553 (GCVE-0-2021-43553)
Vulnerability from nvd – Published: 2021-11-17 18:20 – Updated: 2024-09-16 19:46
VLAI?
Title
OSIsoft PI Vision
Summary
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:06.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2021",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T18:20:51",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Vision",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43553",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2021"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43553",
"datePublished": "2021-11-17T18:20:51.041571Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T19:46:25.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43551 (GCVE-0-2021-43551)
Vulnerability from nvd – Published: 2021-11-17 18:19 – Updated: 2024-09-16 23:16
VLAI?
Title
OSIsoft PI Vision
Summary
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:06.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2021",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-30T20:07:00",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Vision",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43551",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2021"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43551",
"datePublished": "2021-11-17T18:19:44.773827Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T23:16:08.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10643 (GCVE-0-2020-10643)
Vulnerability from nvd – Published: 2020-07-27 21:20 – Updated: 2024-09-16 23:51
VLAI?
Title
OSIsoft PI System
Summary
An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2019",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"datePublic": "2020-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T21:20:54",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Limit write access to PI Vision displays to trusted users."
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
},
"title": "OSIsoft PI System",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-06-09T00:00:00.000Z",
"ID": "CVE-2020-10643",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI System"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2019"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Limit write access to PI Vision displays to trusted users."
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10643",
"datePublished": "2020-07-27T21:20:54.980119Z",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-09-16T23:51:08.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10614 (GCVE-0-2020-10614)
Vulnerability from nvd – Published: 2020-07-24 23:43 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:43:05",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10614",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10614",
"datePublished": "2020-07-24T23:43:05",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:10.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18244 (GCVE-0-2019-18244)
Vulnerability from nvd – Published: 2020-01-15 18:50 – Updated: 2024-08-05 01:47
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.
Severity ?
No CVSS data available.
CWE
- CWE-532 - INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:38:45",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18244",
"datePublished": "2020-01-15T18:50:00",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18273 (GCVE-0-2019-18273)
Vulnerability from nvd – Published: 2020-01-15 18:44 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
PI Vision 2017 R2 and PI Vision 2017 R2 SP1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PI Vision 2017 R2 and PI Vision 2017 R2 SP1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:44:13",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "PI Vision 2017 R2 and PI Vision 2017 R2 SP1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18273",
"datePublished": "2020-01-15T18:44:13",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18271 (GCVE-0-2019-18271)
Vulnerability from nvd – Published: 2020-01-15 18:40 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site.
Severity ?
No CVSS data available.
CWE
- CWE-352 - CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
All versions of PI Vision prior to 2019
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions of PI Vision prior to 2019"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:40:25",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18271",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "All versions of PI Vision prior to 2019"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18271",
"datePublished": "2020-01-15T18:40:25",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18275 (GCVE-0-2019-18275)
Vulnerability from nvd – Published: 2020-01-15 18:36 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes.
Severity ?
No CVSS data available.
CWE
- CWE-284 - IMPROPER ACCESS CONTROL CWE-284
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
All versions of PI Vision prior to 2019
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions of PI Vision prior to 2019"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "IMPROPER ACCESS CONTROL CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:36:52",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "All versions of PI Vision prior to 2019"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER ACCESS CONTROL CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18275",
"datePublished": "2020-01-15T18:36:52",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}