|2017-06-13||Other||OSIsoft||These issues were found by OSIsoft and reported once they had prepared an upgrade to fix them.
# OSIsoft PI Web API 2017
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
PI Web API 2017
These issues were found by OSIsoft and reported once they had prepared an upgrade to fix them.
### AFFECTED PRODUCTS
OSIsoft reports that the vulnerability affects the following PI Web API products:
PI Web API versions prior to 2017 (1.9.0).
Successful exploitation of this vulnerability may allow an attacker to access the PI System with the privileges of a legitimate client user. PI System data alteration is possible if the client user has sufficient access to write data.
### VULNERABILITY OVERVIEW
CROSS-SITE REQUEST FORGERY CWE-352
The vulnerability allows cross-site request forgery (CSRF) attacks to occur when an otherwise-unauthorized cross-site request is sent from a browser the server has previously authenticated.
CVE-2017-7926 has been assigned to this vulnerability.
OSIsoft calculated a CVSS v3 base score of 7.1; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
Critical Infrastructure Sectors: Multiple Sectors
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States
OSIsoft recommends that users upgrade to the PI Web API version 2017 (1.9.0) and enable CSRF defense. To enable this option, set the configuration attribute ‘EnableCSRFDefense’ to ‘True’ in the PI Web API System Configuration element. This element is located at the path "..\OSIsoft\PI Web API\PIWebAPIMachineName\System Configuration" in PI AF Server Configuration database.
A new installation of PI Web API 2017 (1.9.0) enables CSRF protection by default.
Please see alert AL00316 on the OSIsoft web page for more information about this issue: