CVE-2018-19006

Vulnerability

PI Vision 2017 and PI Vision 2017 R2 contain a stored cross-site scripting (XSS) vulnerability. Displays that reference AF (Asset Framework) elements and attributes containing JavaScript are affected. The vulnerability requires an authorized AF user to store malicious JavaScript in AF elements or attributes. When a victim views a display referencing those elements, the script executes in their browser. [1]

Exploitation

An attacker must be an authenticated AF user with write access to the AF hierarchy or templates. The attacker stores JavaScript in AF elements or attributes. Subsequently, any PI Vision user viewing a display that references these modified elements triggers the script. The attack requires no special network position beyond access to PI Vision and user interaction (viewing the display). [1]

Impact

Successful exploitation allows an attacker to read and modify the contents of the PI Vision web page and data related to the PI Vision application in the victim's browser. The CVSS v3 base score is 4.8 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N), indicating low confidentiality and integrity impact with scope change. [1]

Mitigation

OSIsoft recommends upgrading to PI Vision 2017 R2 SP1, which can be obtained directly from OSIsoft. Additionally, periodic review of AF Server permissions to ensure only intended users have write access to elements, element templates, and event frame templates is recommended to reduce exposure. [1]