github - ghsa-986q-gcjg-v754

GHSA-986Q-GCJG-V754

Vulnerability from github – Published: 2025-06-12 21:30 – Updated: 2025-06-12 21:30

Details

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

4.5 (Medium)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-2745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-12T20:15:21Z",
    "severity": "MODERATE"
  },
  "details": "A cross-site scripting vulnerability exists in AVEVA\u00a0PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser.",
  "id": "GHSA-986q-gcjg-v754",
  "modified": "2025-06-12T21:30:31Z",
  "published": "2025-06-12T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2745"
    },
    {
      "type": "WEB",
      "url": "https://www.aveva.com/en/support-and-success/cyber-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2025-2745 (GCVE-0-2025-2745)

Vulnerability from cvelistv5 – Published: 2025-06-12 19:42 – Updated: 2025-06-12 20:09

Title

AVEVA PI Web API Cross-site Scripting

Summary

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

4.5 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

CWE

CWE-79

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	https://www.aveva.com/en/support-and-success/cybe…

Impacted products

	Vendor	Product	Version
	AVEVA	PI Web API	Affected: 0 , ≤ 2023 SP1 (custom)

Credits

AVEVA reported this vulnerability to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-2745",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-12T20:09:20.915656Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-12T20:09:34.976Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PI Web API",
          "vendor": "AVEVA",
          "versions": [
            {
              "lessThanOrEqual": "2023 SP1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "AVEVA reported this vulnerability to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A cross-site scripting vulnerability exists in AVEVA\u0026nbsp;PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser."
            }
          ],
          "value": "A cross-site scripting vulnerability exists in AVEVA\u00a0PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T19:42:27.001Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08"
        },
        {
          "url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAVEVA recommends that organizations evaluate the impact of these \nvulnerabilities based on their operational environment, architecture, \nand product implementation. Users of affected product versions should \napply security updates to mitigate the risk of exploit.\u003c/p\u003e\u003cp\u003eFrom \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\"\u003eOSISoft Customer Portal\u003c/a\u003e, search for \"PI Web API\" and select version 2023 SP1 Patch 1 or higher.\u0026nbsp;\u003cbr\u003e\nFor additional information please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\"\u003eAVEVA-2025-003\u003c/a\u003e.\n\n\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "AVEVA recommends that organizations evaluate the impact of these \nvulnerabilities based on their operational environment, architecture, \nand product implementation. Users of affected product versions should \napply security updates to mitigate the risk of exploit.\n\nFrom  OSISoft Customer Portal https://my.osisoft.com/ , search for \"PI Web API\" and select version 2023 SP1 Patch 1 or higher.\u00a0\n\nFor additional information please refer to  AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ ."
        }
      ],
      "source": {
        "advisory": "ICSA-25-162-08",
        "discovery": "INTERNAL"
      },
      "title": "AVEVA PI Web API Cross-site Scripting",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAVEVA further recommends users follow general defensive measures:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eReview and update the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html\"\u003efile extensions allowlist\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cli\u003e for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).\u003c/li\u003e\n\u003cli\u003eConsider implementing IT policies that would prevent users from \nsubverting/disabling content security policy browser protections.\u003c/li\u003e\n\u003cli\u003eInform PI Web API users that annotation attachments should be \nretrieved through direct REST requests to PI Web API rather than \nrendering them in the browser interface.\u003c/li\u003e\n\u003cli\u003eAudit assigned privileges to ensure that only trusted users are given \"Annotate\" \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html\"\u003eaccess rights\u003c/a\u003e\u003c/li\u003e\u003cp\u003eFor additional information please refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\"\u003eAVEVA-2025-003\u003c/a\u003e.\n\n\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "AVEVA further recommends users follow general defensive measures:\n\n\n\n  *  Review and update the  file extensions allowlist https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html \n\n\n  *   for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).\n\n  *  Consider implementing IT policies that would prevent users from \nsubverting/disabling content security policy browser protections.\n\n  *  Inform PI Web API users that annotation attachments should be \nretrieved through direct REST requests to PI Web API rather than \nrendering them in the browser interface.\n\n  *  Audit assigned privileges to ensure that only trusted users are given \"Annotate\"  access rights https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html \nFor additional information please refer to  AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ ."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-2745",
    "datePublished": "2025-06-12T19:42:27.001Z",
    "dateReserved": "2025-03-24T16:30:31.847Z",
    "dateUpdated": "2025-06-12T20:09:34.976Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-986Q-GCJG-V754

CVE-2025-2745 (GCVE-0-2025-2745)

Tags

Sightings

Nomenclature