SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-236516579] OSIsoft PI Vision

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-03-13OtherOSIsoftOSIsoft self-reported the vulnerabilities to NCCIC.N/ACVE-2018-7504 CVE-2018-7496 N/AN/AN/A

Source

						
							
								
#
# OSIsoft PI Vision
#


### VULNERABLE VENDOR
OSIsoft


### VULNERABLE PRODUCT
PI Vision 


### RESEARCHER
OSIsoft self-reported the vulnerabilities to NCCIC.


### AFFECTED PRODUCTS
The following versions of PI Vision, a data visualization framework, are affected:

PI Vision versions 2017 and prior


### IMPACT
Successful exploitation of these vulnerabilities could allow remote code execution and expose information.


### VULNERABILITY OVERVIEW
PROTECTION MECHANISM FAILURE CWE-693
X-XSS-Protection response header is not set to block, allowing attempts at reflected cross-site scripting.
CVE-2018-7504 has been assigned to this vulnerability.
A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


INFORMATION EXPOSURE CWE-200
Server response header and referrer-policy response header each provide unintended information disclosure.
CVE-2018-7496 has been assigned to this vulnerability.
A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)





### BACKGROUND
Critical Infrastructure Sectors: Multiple Sectors
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States




### MITIGATION

OSIsoft recommends that users upgrade to PI Vision 2017 R2 Update 1. Obtain the update from OSIsoft.

OSIsoft has released the following alert:

https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00338


NOTE: PI Vision 2017 R2 Update 1 also addresses PI Web API vulnerabilities. Please see the following OSIsoft alerts:

https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00337


https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00336