VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 17, 2021· Updated Sep 16, 2024

OSIsoft PI Vision

CVE-2021-43551

Description

A remote attacker with write access to PI Vision could inject code into a display. Unauthorized information disclosure, modification, or deletion is possible if a victim views or interacts with the infected display using Microsoft Internet Explorer. The impact affects PI System data and other data accessible with victim's user permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in PI Vision allows attackers with write access to inject code into displays, leading to data disclosure or modification when victims using Internet Explorer view them.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in PI Vision versions prior to 2021 [1]. An attacker with write access to PI Vision can inject arbitrary JavaScript code into a display. The vulnerability is triggered when a victim using Microsoft Internet Explorer views or interacts with the infected display [1].

Exploitation

To exploit, an attacker must have write access to PI Vision (e.g., Publisher or Explorer roles). The attacker injects malicious code into a display, which is then stored. When a victim with sufficient privileges views the display using Internet Explorer, the injected code executes in the context of the victim's session [1].

Impact

Successful exploitation can lead to unauthorized information disclosure, modification, or deletion of PI System data and other data accessible with the victim's user permissions. The impact is limited by the victim's privileges [1].

Mitigation

OSIsoft recommends upgrading to PI Vision 2021 (registration required for security bulletin). Workarounds include configuring Publisher and Explorer roles in PI Vision User Access Levels to restrict write access [1].

References
  1. OSIsoft PI Vision | CISA

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.