OSIsoft PI Vision Cross-site Scripting

Vulnerability

A remote attacker with write access to PI ProcessBook files can inject malicious code that is imported into PI Vision 2020 versions prior to 3.5.0. This is an improper neutralization of input during web page generation (Cross-Site Scripting, CWE-79) vulnerability. The injected code executes when a victim views or interacts with the infected display. The affected product is PI Vision 2020, all versions before 3.5.0 [1].

Exploitation

The attacker requires write access to PI ProcessBook files, which can be achieved remotely. The exploit involves injecting malicious script into a ProcessBook file that is subsequently imported into PI Vision. No user interaction beyond viewing the infected display is required for the payload to execute. The CVSS vector string (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N) indicates high attack complexity and low privileges required [1].

Impact

Successful exploitation leads to unauthorized information disclosure, modification, or deletion of PI System data and other data accessible with the victim's user permissions. The attacker gains the ability to perform actions with the victim's privileges, potentially compromising confidentiality and integrity of sensitive data. The scope of the attack can extend to other parts of the system accessible to the victim [1].

Mitigation

OSIsoft released PI Vision 2020 Version 3.5.0, which resolves this vulnerability. Users should upgrade to version 3.5.0 or later. OSIsoft also provides recommended defensive measures and configuration settings on their customer portal (login required). CISA recommends users take defensive measures to minimize risk [1].