CVE-2019-18271

Vulnerability

OSIsoft PI Vision versions prior to 2019 are affected by a cross-site request forgery (CSRF) vulnerability (CWE-352) present on the PI Vision administration site [1]. The vulnerability exists in all versions of PI Vision released before the 2019 release [1]. No specific configuration beyond default settings is required for the vulnerable code path to be reachable.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web request that targets the PI Vision administration site and then tricking an authenticated user with administrative privileges into executing the request, typically by luring them to click a link or visit a compromised page [1]. The attacker does not need to be authenticated themselves; user interaction is required and the attack can be performed remotely with a low skill level [1].

Impact

Successful exploitation could allow the attacker to perform actions on the PI Vision administration site with the privileges of the targeted user, leading to limited confidentiality impact (e.g., disclosure of some sensitive information) and high availability impact (e.g., potential disruption of the system) [1]. The CVSS v3 base score is 7.1 with a vector string of AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H [1].

Mitigation

OSIsoft released PI Vision 2019 as the fixed version that addresses this vulnerability [1]. Users should upgrade to PI Vision 2019 or later. No workarounds are mentioned in the reference; if upgrading is not immediately possible, restrict access to the administration site to trusted users and networks.