Search criteria
44 vulnerabilities by OSIsoft
CVE-2020-25167 (GCVE-0-2020-25167)
Vulnerability from cvelistv5 – Published: 2022-04-18 16:20 – Updated: 2025-04-16 16:29
VLAI?
Summary
OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute.
Severity ?
4.9 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
OSIsoft reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:10.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:54:04.855314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:29:22.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2020",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:20:46.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"solutions": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OSIsoft PI Vision Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25167",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision Incorrect Authorization"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2020"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision 2020 versions prior to 3.5.0 could disclose information to a user with insufficient privileges for an AF attribute."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25167",
"datePublished": "2022-04-18T16:20:46.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:29:22.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25163 (GCVE-0-2020-25163)
Vulnerability from cvelistv5 – Published: 2022-04-18 16:20 – Updated: 2025-04-16 17:55
VLAI?
Summary
A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.
Severity ?
7.7 (High)
CWE
- CWE-79 - Cross-site Scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
OSIsoft reported these vulnerabilities to CISA
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:26:09.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-25163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T17:29:40.461576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T17:55:26.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2020",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Cross-site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-18T16:20:45.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
],
"solutions": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "OSIsoft PI Vision Cross-site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-25163",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision Cross-site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2020"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "OSIsoft reported these vulnerabilities to CISA"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Cross-site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."
}
],
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-25163",
"datePublished": "2022-04-18T16:20:45.000Z",
"dateReserved": "2020-09-04T00:00:00.000Z",
"dateUpdated": "2025-04-16T17:55:26.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43549 (GCVE-0-2021-43549)
Vulnerability from cvelistv5 – Published: 2021-11-18 14:18 – Updated: 2024-09-16 23:00
VLAI?
Summary
A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information.
Severity ?
6.9 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OSIsoft | PI Web API |
Affected:
All versions , ≤ 2019 SPI
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:07.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Web API",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2019 SPI",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-18T14:18:48",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Web API",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI Web API 2021. Additional information can be found in the OSIsoft PI Web API security bulletin (registration required).\n\nOSIsoft recommends applying the following workaround in PI Web API to help reduce the risk:\n\nRemove the OSIsoft.REST.Documentation.dll from the PI Web API installation directory.\n\nThe PI Web API installation directory is available at this registry entry:\n\\\\HKLM\\SOFTWARE\\PISystem\\WebAPI\\InstallationDirectory\nThe default PI Web API installation directory is:\nC:\\Program Files\\PIPC\\WebAPI\nRemoving this file will cause built-in documentation to no longer be available. Navigating to the PI Web API endpoint with a browser will result in an error; however, the PI Web API will continue to function as a REST API\nDocumentation can be found at the OSIsoft website. Alternately, users are encouraged to limit access to PI Web API built-in documentation to dedicated development environments\nOSIsoft recommends users employ the following defense measures to lower the impact of exploitation for PI Web API:\n\nAvoid adding authentication type \u201cAnonymous\u201d in PI Web API configuration settings to limit exposure to authenticated users only,\nConsider using a web application firewall to block html responses from PI Web API servers,\nAudit the AF hierarchy to ensure there are no unauthorized databases, elements, or attributes,\nFor Kerberos authentication configurations, use Group Policy to deny network authentication to PI Server Administrator accounts on the PI Web API server.\nSee the OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43549",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Web API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Web API",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2019 SPI"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote authenticated attacker with write access to a PI Server could trick a user into interacting with a PI Web API endpoint and redirect them to a malicious website. As a result, a victim may disclose sensitive information to the attacker or be provided with false information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-06"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI Web API 2021. Additional information can be found in the OSIsoft PI Web API security bulletin (registration required).\n\nOSIsoft recommends applying the following workaround in PI Web API to help reduce the risk:\n\nRemove the OSIsoft.REST.Documentation.dll from the PI Web API installation directory.\n\nThe PI Web API installation directory is available at this registry entry:\n\\\\HKLM\\SOFTWARE\\PISystem\\WebAPI\\InstallationDirectory\nThe default PI Web API installation directory is:\nC:\\Program Files\\PIPC\\WebAPI\nRemoving this file will cause built-in documentation to no longer be available. Navigating to the PI Web API endpoint with a browser will result in an error; however, the PI Web API will continue to function as a REST API\nDocumentation can be found at the OSIsoft website. Alternately, users are encouraged to limit access to PI Web API built-in documentation to dedicated development environments\nOSIsoft recommends users employ the following defense measures to lower the impact of exploitation for PI Web API:\n\nAvoid adding authentication type \u201cAnonymous\u201d in PI Web API configuration settings to limit exposure to authenticated users only,\nConsider using a web application firewall to block html responses from PI Web API servers,\nAudit the AF hierarchy to ensure there are no unauthorized databases, elements, or attributes,\nFor Kerberos authentication configurations, use Group Policy to deny network authentication to PI Server Administrator accounts on the PI Web API server.\nSee the OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43549",
"datePublished": "2021-11-18T14:18:48.609013Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T23:00:26.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43553 (GCVE-0-2021-43553)
Vulnerability from cvelistv5 – Published: 2021-11-17 18:20 – Updated: 2024-09-16 19:46
VLAI?
Summary
PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:06.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2021",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-17T18:20:51",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Vision",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43553",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2021"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PI Vision could disclose information to a user with insufficient privileges for an AF attribute that is the child of another attribute and is configured as a Limits property."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43553",
"datePublished": "2021-11-17T18:20:51.041571Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T19:46:25.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43551 (GCVE-0-2021-43551)
Vulnerability from cvelistv5 – Published: 2021-11-17 18:19 – Updated: 2024-09-16 23:16
VLAI?
Summary
A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:06.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2021",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-11-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-30T20:07:00",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OSIsoft PI Vision",
"workarounds": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2021-11-09T19:12:00.000Z",
"ID": "CVE-2021-43551",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI Vision"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "All versions",
"version_value": "2021"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim\u0027s user permissions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-05"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "OSIsoft recommends upgrading to PI vision 2021. Information can be found in the OSIsoft PI Vision security bulletin (registration required).\n\nOSIsoft recommends users apply the following workarounds for PI Vision to help reduce risk:\n\nConfigure Publisher and Explorer roles in PI Vision User Access Levels to restrict which users can create or modify displays.\nRemove any Limits properties from AF child attributes using PI System Explorer or a bulk editing tool.\nOSIsoft recommends the following defense measures to lower the impact of exploitation for PI Vision:\n\nUse a modern web browser such as Microsoft Edge, Google Chrome, or Mozilla FireFox. Do not use Microsoft Internet Explorer.\nIf upgrade is not an option, administrators should regularly audit the AF hierarchy to ensure there are no unexpected or unknown elements, attributes, or attribute properties. It is recommended security on elements in AF be configured and enforced in addition to configuring PI point security.\nPotential unauthorized viewing of PI System data due to this issue is limited to permissions granted to the PI Vision Application Pool Identity.\u202f Configure a dedicated identity mapping for PI Vision servers and manage permissions in accordance with a data classification policy.\nSee OSIsoft customer portal knowledge article for additional details and associated security updates (registration required)."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-43551",
"datePublished": "2021-11-17T18:19:44.773827Z",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-09-16T23:16:08.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10643 (GCVE-0-2020-10643)
Vulnerability from cvelistv5 – Published: 2020-07-27 21:20 – Updated: 2024-09-16 23:51
VLAI?
Summary
An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"lessThanOrEqual": "2019",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"datePublic": "2020-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T21:20:54",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Limit write access to PI Vision displays to trusted users."
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
},
"title": "OSIsoft PI System",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-06-09T00:00:00.000Z",
"ID": "CVE-2020-10643",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI System"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2019"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated remote attacker could use specially crafted URLs to send a victim using PI Vision 2019 mobile to a vulnerable web page due to a known issue in a third-party component."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Limit write access to PI Vision displays to trusted users."
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10643",
"datePublished": "2020-07-27T21:20:54.980119Z",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-09-16T23:51:08.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10614 (GCVE-0-2020-10614)
Vulnerability from cvelistv5 – Published: 2020-07-24 23:43 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:43:05",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10614",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, an authenticated remote attacker with write access to PI Vision databases could inject code into a display. Unauthorized information disclosure, deletion, or modification is possible if a victim views the infected display."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10614",
"datePublished": "2020-07-24T23:43:05",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:10.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10604 (GCVE-0-2020-10604)
Vulnerability from cvelistv5 – Published: 2020-07-24 23:34 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive.
Severity ?
No CVSS data available.
CWE
- CWE-248 - UNCAUGHT EXCEPTION CWE-248
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:09.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "UNCAUGHT EXCEPTION CWE-248",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:34:55",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNCAUGHT EXCEPTION CWE-248"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10604",
"datePublished": "2020-07-24T23:34:55",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:09.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10600 (GCVE-0-2020-10600)
Vulnerability from cvelistv5 – Published: 2020-07-24 23:01 – Updated: 2024-09-16 19:20
VLAI?
Summary
An authenticated remote attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive (2018 SP2 and prior versions).
Severity ?
5.9 (Medium)
CWE
- CWE-476 - NULL POINTER DEREFERENCE CWE-476
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OSIsoft | PI Data Archive |
Affected:
unspecified , < 2018 SP2
(custom)
|
Credits
William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.143Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Data Archive",
"vendor": "OSIsoft",
"versions": [
{
"lessThan": "2018 SP2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"datePublic": "2020-06-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An authenticated remote attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive (2018 SP2 and prior versions)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "NULL POINTER DEREFERENCE CWE-476",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T21:25:23",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Fully configure Windows authentication for the PI System and disable legacy authentication methods. For a starting point on PI System security best practices, see knowledge base article KB00833 -Seven best practices for securing your PI Server. (https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00833)"
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
},
"title": "OSIsoft PI System",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-06-09T00:00:00.000Z",
"ID": "CVE-2020-10600",
"STATE": "PUBLIC",
"TITLE": "OSIsoft PI System"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Data Archive",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2018 SP2"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "William Knowles, Senior Security Consultant at Applied Risk, reported these vulnerabilities to OSIsoft"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated remote attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive (2018 SP2 and prior versions)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "NULL POINTER DEREFERENCE CWE-476"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Fully configure Windows authentication for the PI System and disable legacy authentication methods. For a starting point on PI System security best practices, see knowledge base article KB00833 -Seven best practices for securing your PI Server. (https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00833)"
}
],
"source": {
"advisory": "ICSA-20-133-02 OSIsoft PI System",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10600",
"datePublished": "2020-07-24T23:01:05.997100Z",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-09-16T19:20:28.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10606 (GCVE-0-2020-10606)
Vulnerability from cvelistv5 – Published: 2020-07-24 22:55 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment.
Severity ?
No CVSS data available.
CWE
- CWE-276 - INCORRECT DEFAULT PERMISSIONS CWE-276
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "INCORRECT DEFAULT PERMISSIONS CWE-276",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T22:55:32",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10606",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a local attacker can exploit incorrect permissions set by affected PI System software. This exploitation can result in unauthorized information disclosure, deletion, or modification if the local computer also processes PI System data from other users, such as from a shared workstation or terminal server deployment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INCORRECT DEFAULT PERMISSIONS CWE-276"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10606",
"datePublished": "2020-07-24T22:55:32",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:10.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10608 (GCVE-0-2020-10608)
Vulnerability from cvelistv5 – Published: 2020-07-24 22:46 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. This exploitation can target another local user of PI System software on the computer to escalate privilege and result in unauthorized information disclosure, deletion, or modification.
Severity ?
No CVSS data available.
CWE
- CWE-347 - IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:09.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. This exploitation can target another local user of PI System software on the computer to escalate privilege and result in unauthorized information disclosure, deletion, or modification."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T22:46:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10608",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. This exploitation can target another local user of PI System software on the computer to escalate privilege and result in unauthorized information disclosure, deletion, or modification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10608",
"datePublished": "2020-07-24T22:46:02",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:09.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10610 (GCVE-0-2020-10610)
Vulnerability from cvelistv5 – Published: 2020-07-24 22:42 – Updated: 2024-08-04 11:06
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a local attacker can modify a search path and plant a binary to exploit the affected PI System software to take control of the local computer at Windows system privilege level, resulting in unauthorized information disclosure, deletion, or modification.
Severity ?
No CVSS data available.
CWE
- CWE-427 - UNCONTROLLED SEARCH PATH ELEMENT CWE-427
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:10.091Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker can modify a search path and plant a binary to exploit the affected PI System software to take control of the local computer at Windows system privilege level, resulting in unauthorized information disclosure, deletion, or modification."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T22:42:39",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-10610",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a local attacker can modify a search path and plant a binary to exploit the affected PI System software to take control of the local computer at Windows system privilege level, resulting in unauthorized information disclosure, deletion, or modification."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNCONTROLLED SEARCH PATH ELEMENT CWE-427"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-10610",
"datePublished": "2020-07-24T22:42:39",
"dateReserved": "2020-03-16T00:00:00",
"dateUpdated": "2024-08-04T11:06:10.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12021 (GCVE-0-2020-12021)
Vulnerability from cvelistv5 – Published: 2020-06-23 21:36 – Updated: 2024-08-04 11:48
VLAI?
Summary
In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions, the affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to remotely execute arbitrary code.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Web API 2019 |
Affected:
OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-163-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Web API 2019",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions, the affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to remotely execute arbitrary code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-23T21:36:23",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-163-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-12021",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Web API 2019",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions, the affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to remotely execute arbitrary code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-163-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-163-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-12021",
"datePublished": "2020-06-23T21:36:23",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18244 (GCVE-0-2019-18244)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:50 – Updated: 2024-08-05 01:47
VLAI?
Summary
In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue.
Severity ?
No CVSS data available.
CWE
- CWE-532 - INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI System multiple products and versions |
Affected:
OSIsoft PI System multiple products and versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.073Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI System multiple products and versions",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI System multiple products and versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-24T23:38:45",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18244",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI System multiple products and versions",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI System multiple products and versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI System multiple products and versions, a local attacker could view sensitive information in log files when service accounts are customized during installation or upgrade of PI Vision. The update fixes a previously reported issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18244",
"datePublished": "2020-01-15T18:50:00",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18273 (GCVE-0-2019-18273)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:44 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
PI Vision 2017 R2 and PI Vision 2017 R2 SP1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.106Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PI Vision 2017 R2 and PI Vision 2017 R2 SP1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:44:13",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18273",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "PI Vision 2017 R2 and PI Vision 2017 R2 SP1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, PI Vision 2017 R2 and PI Vision 2017 R2 SP1. The affected product is vulnerable to cross-site scripting, which may allow invalid input to be introduced."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18273",
"datePublished": "2020-01-15T18:44:13",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18271 (GCVE-0-2019-18271)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:40 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site.
Severity ?
No CVSS data available.
CWE
- CWE-352 - CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
All versions of PI Vision prior to 2019
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions of PI Vision prior to 2019"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:40:25",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18271",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "All versions of PI Vision prior to 2019"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to a cross-site request forgery that may be introduced on the PI Vision administration site."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18271",
"datePublished": "2020-01-15T18:40:25",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18275 (GCVE-0-2019-18275)
Vulnerability from cvelistv5 – Published: 2020-01-15 18:36 – Updated: 2024-08-05 01:47
VLAI?
Summary
OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes.
Severity ?
No CVSS data available.
CWE
- CWE-284 - IMPROPER ACCESS CONTROL CWE-284
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
All versions of PI Vision prior to 2019
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "All versions of PI Vision prior to 2019"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "IMPROPER ACCESS CONTROL CWE-284",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-15T18:36:52",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "All versions of PI Vision prior to 2019"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, All versions of PI Vision prior to 2019. The affected product is vulnerable to an improper access control, which may return unauthorized tag data when viewing analysis data reference attributes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER ACCESS CONTROL CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-014-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18275",
"datePublished": "2020-01-15T18:36:52",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13516 (GCVE-0-2019-13516)
Vulnerability from cvelistv5 – Published: 2019-08-15 18:49 – Updated: 2024-08-04 23:57
VLAI?
Summary
In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect.
Severity ?
No CVSS data available.
CWE
- CWE-693 - PROTECTION MECHANISM FAILURE CWE-693
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Web API |
Affected:
PI Web API 2018 and prior.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:57:39.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Web API",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PI Web API 2018 and prior."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "PROTECTION MECHANISM FAILURE CWE-693",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T18:49:15",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-13516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Web API",
"version": {
"version_data": [
{
"version_value": "PI Web API 2018 and prior."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OSIsoft PI Web API and prior, the affected product is vulnerable to a direct attack due to a cross-site request forgery protection setting that has not taken effect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "PROTECTION MECHANISM FAILURE CWE-693"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-13516",
"datePublished": "2019-08-15T18:49:15",
"dateReserved": "2019-07-11T00:00:00",
"dateUpdated": "2024-08-04T23:57:39.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13515 (GCVE-0-2019-13515)
Vulnerability from cvelistv5 – Published: 2019-08-15 18:39 – Updated: 2024-08-04 23:57
VLAI?
Summary
OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information.
Severity ?
No CVSS data available.
CWE
- CWE-532 - INCLUSION OF SENSITIVE INFORMATION IN LOG FILES CWE-532
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Web API |
Affected:
PI Web API 2018 and prior.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:57:39.455Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Web API",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PI Web API 2018 and prior."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "INCLUSION OF SENSITIVE INFORMATION IN LOG FILES CWE-532",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T18:39:36",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-13515",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Web API",
"version": {
"version_data": [
{
"version_value": "PI Web API 2018 and prior."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INCLUSION OF SENSITIVE INFORMATION IN LOG FILES CWE-532"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-225-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-13515",
"datePublished": "2019-08-15T18:39:36",
"dateReserved": "2019-07-11T00:00:00",
"dateUpdated": "2024-08-04T23:57:39.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19006 (GCVE-0-2018-19006)
Vulnerability from cvelistv5 – Published: 2019-04-08 14:30 – Updated: 2024-08-05 11:23
VLAI?
Summary
OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The application contains a cross-site scripting vulnerability where displays that reference AF elements and attributes containing JavaScript are affected. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes.
Severity ?
No CVSS data available.
CWE
- CWE-79 - IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:09.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-043-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Vision",
"vendor": "OSIsoft",
"versions": [
{
"status": "affected",
"version": "PI Vision 2017"
},
{
"status": "affected",
"version": "and PI Vision 2017 R2"
}
]
}
],
"datePublic": "2019-02-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The application contains a cross-site scripting vulnerability where displays that reference AF elements and attributes containing JavaScript are affected. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-08T14:30:39",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-043-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-19006",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Vision",
"version": {
"version_data": [
{
"version_value": "PI Vision 2017"
},
{
"version_value": "and PI Vision 2017 R2"
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The application contains a cross-site scripting vulnerability where displays that reference AF elements and attributes containing JavaScript are affected. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u0027CROSS-SITE SCRIPTING\u0027) CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-043-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-043-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-19006",
"datePublished": "2019-04-08T14:30:39",
"dateReserved": "2018-11-06T00:00:00",
"dateUpdated": "2024-08-05T11:23:09.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9641 (GCVE-0-2017-9641)
Vulnerability from cvelistv5 – Published: 2018-05-25 15:00 – Updated: 2024-09-16 19:20
VLAI?
Summary
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-site request forgery CWE-352
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OSIsoft | PI Coresight |
Affected:
2016 R2 and earlier versions.
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00320"
},
{
"name": "99540",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99540"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI Coresight",
"vendor": "OSIsoft",
"versions": [
{
"status": "affected",
"version": "2016 R2 and earlier versions."
}
]
}
],
"datePublic": "2017-06-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-site request forgery CWE-352",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-26T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00320"
},
{
"name": "99540",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99540"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-06-13T00:00:00",
"ID": "CVE-2017-9641",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI Coresight",
"version": {
"version_data": [
{
"version_value": "2016 R2 and earlier versions."
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04"
},
{
"name": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00320",
"refsource": "CONFIRM",
"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00320"
},
{
"name": "99540",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99540"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-9641",
"datePublished": "2018-05-25T15:00:00Z",
"dateReserved": "2017-06-14T00:00:00",
"dateUpdated": "2024-09-16T19:20:52.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8365 (GCVE-0-2016-8365)
Vulnerability from cvelistv5 – Published: 2018-04-03 14:00 – Updated: 2024-09-16 16:58
VLAI?
Summary
OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
Severity ?
No CVSS data available.
CWE
- CWE-437 - Incomplete model of enpoint features CWE-437
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OSIsoft | PI System software |
Affected:
Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0
Affected: Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6 Affected: PI Buffer Subsystem, versions prior to and including, Version 4.4 Affected: PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64. |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:20:30.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
},
{
"name": "94165",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94165"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PI System software",
"vendor": "OSIsoft",
"versions": [
{
"status": "affected",
"version": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"
},
{
"status": "affected",
"version": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"
},
{
"status": "affected",
"version": "PI Buffer Subsystem, versions prior to and including, Version 4.4"
},
{
"status": "affected",
"version": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."
}
]
}
],
"datePublic": "2016-10-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-437",
"description": "Incomplete model of enpoint features CWE-437",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-04T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
},
{
"name": "94165",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94165"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2016-10-11T00:00:00",
"ID": "CVE-2016-8365",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PI System software",
"version": {
"version_data": [
{
"version_value": "Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0"
},
{
"version_value": "Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6"
},
{
"version_value": "PI Buffer Subsystem, versions prior to and including, Version 4.4"
},
{
"version_value": "PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64."
}
]
}
}
]
},
"vendor_name": "OSIsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incomplete model of enpoint features CWE-437"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308",
"refsource": "CONFIRM",
"url": "https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03"
},
{
"name": "94165",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94165"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2016-8365",
"datePublished": "2018-04-03T14:00:00Z",
"dateReserved": "2016-09-28T00:00:00",
"dateUpdated": "2024-09-16T16:58:56.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7533 (GCVE-0-2018-7533)
Vulnerability from cvelistv5 – Published: 2018-03-14 18:00 – Updated: 2024-08-05 06:31
VLAI?
Summary
An Incorrect Default Permissions issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Insecure default configuration may allow escalation of privileges that gives the actor full control over the system.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Data Archive |
Affected:
OSIsoft PI Data Archive
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:04.387Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02"
},
{
"name": "103399",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Data Archive",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Data Archive"
}
]
}
],
"datePublic": "2018-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Incorrect Default Permissions issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Insecure default configuration may allow escalation of privileges that gives the actor full control over the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02"
},
{
"name": "103399",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103399"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-7533",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Data Archive",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Data Archive"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Incorrect Default Permissions issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Insecure default configuration may allow escalation of privileges that gives the actor full control over the system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-276"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02"
},
{
"name": "103399",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103399"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7533",
"datePublished": "2018-03-14T18:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:04.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7500 (GCVE-0-2018-7500)
Vulnerability from cvelistv5 – Published: 2018-03-14 18:00 – Updated: 2024-08-05 06:31
VLAI?
Summary
A Permissions, Privileges, and Access Controls issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Privileges may be escalated, giving attackers access to the PI System via the service account.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Web API |
Affected:
OSIsoft PI Web API
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:04.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103396"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Web API",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Web API"
}
]
}
],
"datePublic": "2018-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Permissions, Privileges, and Access Controls issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Privileges may be escalated, giving attackers access to the PI System via the service account."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-264",
"description": "CWE-264",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "103396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103396"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-7500",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Web API",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Web API"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Permissions, Privileges, and Access Controls issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Privileges may be escalated, giving attackers access to the PI System via the service account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103396"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7500",
"datePublished": "2018-03-14T18:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:04.282Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7496 (GCVE-0-2018-7496)
Vulnerability from cvelistv5 – Published: 2018-03-14 18:00 – Updated: 2024-08-05 06:31
VLAI?
Summary
An Information Exposure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The server response header and referrer-policy response header each provide unintended information disclosure.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
OSIsoft PI Vision
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:03.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103390",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103390"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Vision"
}
]
}
],
"datePublic": "2018-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Information Exposure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The server response header and referrer-policy response header each provide unintended information disclosure."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "103390",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103390"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-7496",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Vision"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Information Exposure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The server response header and referrer-policy response header each provide unintended information disclosure."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103390",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103390"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7496",
"datePublished": "2018-03-14T18:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:03.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7531 (GCVE-0-2018-7531)
Vulnerability from cvelistv5 – Published: 2018-03-14 18:00 – Updated: 2024-08-05 06:31
VLAI?
Summary
An Improper Input Validation issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may use unvalidated custom requests to crash the server.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Data Archive |
Affected:
OSIsoft PI Data Archive
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:04.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02"
},
{
"name": "103399",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103399"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Data Archive",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Data Archive"
}
]
}
],
"datePublic": "2018-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Improper Input Validation issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may use unvalidated custom requests to crash the server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02"
},
{
"name": "103399",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103399"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-7531",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Data Archive",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Data Archive"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Improper Input Validation issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may use unvalidated custom requests to crash the server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-02"
},
{
"name": "103399",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103399"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7531",
"datePublished": "2018-03-14T18:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:04.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7504 (GCVE-0-2018-7504)
Vulnerability from cvelistv5 – Published: 2018-03-14 18:00 – Updated: 2024-08-05 06:31
VLAI?
Summary
A Protection Mechanism Failure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The X-XSS-Protection response header is not set to block, allowing attempts at reflected cross-site scripting.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Vision |
Affected:
OSIsoft PI Vision
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:03.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103390",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103390"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Vision",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Vision"
}
]
}
],
"datePublic": "2018-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Protection Mechanism Failure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The X-XSS-Protection response header is not set to block, allowing attempts at reflected cross-site scripting."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "103390",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103390"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-7504",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Vision",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Vision"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Protection Mechanism Failure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The X-XSS-Protection response header is not set to block, allowing attempts at reflected cross-site scripting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-693"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103390",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103390"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7504",
"datePublished": "2018-03-14T18:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:03.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7508 (GCVE-0-2018-7508)
Vulnerability from cvelistv5 – Published: 2018-03-14 18:00 – Updated: 2024-08-05 06:31
VLAI?
Summary
A Cross-site Scripting issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Cross-site scripting may occur when input is incorrectly neutralized.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Web API |
Affected:
OSIsoft PI Web API
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:03.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103396"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Web API",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Web API"
}
]
}
],
"datePublic": "2018-03-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Cross-site Scripting issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Cross-site scripting may occur when input is incorrectly neutralized."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-15T09:57:02",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "103396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103396"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-7508",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Web API",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Web API"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-site Scripting issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Cross-site scripting may occur when input is incorrectly neutralized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103396"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7508",
"datePublished": "2018-03-14T18:00:00",
"dateReserved": "2018-02-26T00:00:00",
"dateUpdated": "2024-08-05T06:31:03.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7934 (GCVE-0-2017-7934)
Vulnerability from cvelistv5 – Published: 2017-08-25 19:00 – Updated: 2024-08-05 16:19
VLAI?
Summary
An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Network Manager using older protocol versions contains a flaw that could allow a malicious user to authenticate with a server and then cause PI Network Manager to behave in an undefined manner.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Server 2017 |
Affected:
OSIsoft PI Server 2017
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:19:29.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02"
},
{
"name": "99059",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99059"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Server 2017",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Server 2017"
}
]
}
],
"datePublic": "2017-08-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Network Manager using older protocol versions contains a flaw that could allow a malicious user to authenticate with a server and then cause PI Network Manager to behave in an undefined manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-26T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02"
},
{
"name": "99059",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99059"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2017-7934",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Server 2017",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Server 2017"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Network Manager using older protocol versions contains a flaw that could allow a malicious user to authenticate with a server and then cause PI Network Manager to behave in an undefined manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02"
},
{
"name": "99059",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99059"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-7934",
"datePublished": "2017-08-25T19:00:00",
"dateReserved": "2017-04-18T00:00:00",
"dateUpdated": "2024-08-05T16:19:29.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7930 (GCVE-0-2017-7930)
Vulnerability from cvelistv5 – Published: 2017-08-25 19:00 – Updated: 2024-08-05 16:19
VLAI?
Summary
An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Data Archive has protocol flaws with the potential to expose change records in the clear and allow a malicious party to spoof a server within a collective.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OSIsoft PI Server 2017 |
Affected:
OSIsoft PI Server 2017
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:19:29.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02"
},
{
"name": "99059",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99059"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OSIsoft PI Server 2017",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "OSIsoft PI Server 2017"
}
]
}
],
"datePublic": "2017-08-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Data Archive has protocol flaws with the potential to expose change records in the clear and allow a malicious party to spoof a server within a collective."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-26T09:57:01",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02"
},
{
"name": "99059",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99059"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2017-7930",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OSIsoft PI Server 2017",
"version": {
"version_data": [
{
"version_value": "OSIsoft PI Server 2017"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Improper Authentication issue was discovered in OSIsoft PI Server 2017 PI Data Archive versions prior to 2017. PI Data Archive has protocol flaws with the potential to expose change records in the clear and allow a malicious party to spoof a server within a collective."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-164-02"
},
{
"name": "99059",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99059"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-7930",
"datePublished": "2017-08-25T19:00:00",
"dateReserved": "2017-04-18T00:00:00",
"dateUpdated": "2024-08-05T16:19:29.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}