OSIsoft PI System

Vulnerability

CVE-2020-10643 is a cross-site scripting (XSS) vulnerability in PI Vision 2019 mobile. An authenticated remote attacker can craft specially formatted URLs that, when visited by a victim, cause the browser to execute arbitrary JavaScript. This issue arises due to a known vulnerability in a third-party component used by PI Vision [1]. All versions of PI Vision 2019 mobile prior to the vendor-provided fix are affected.

Exploitation

An attacker must be authenticated to the PI Vision server and have network access to deliver the malicious URL. The attacker crafts a URL containing malicious JavaScript and tricks an authenticated victim (e.g., via phishing) into clicking the link. The victim's browser then executes the script in the context of the PI Vision application, as the third-party component's failure to properly validate input allows script injection [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to disclosure of sensitive information (e.g., session tokens, cookies), modification of web page content, or other actions within the PI Vision application's security context. The attacker gains the same privileges as the victim user [1].

Mitigation

OSIsoft has addressed this vulnerability in updated versions of PI Vision and associated components. Affected users should apply the latest patches as specified in the vendor advisory [1]. If immediate patching is not possible, OSIsoft recommends limiting network access to PI Vision servers and educating users about suspicious links. No workarounds besides upgrading are documented.