OSIsoft PI Web API 2019

Risk Summary

Successful exploitation of this vulnerability could allow a remote authenticated attacker with write access to a PI Server to trick a user into interacting with a PI Web API endpoint that executes arbitrary JavaScript in the user 's browser, resulting in view, modification, or deletion of data as allowed for by the victim 's user permissions.

CVEs (1)

Remediations

• OSIsoft recommends affected users upgrade to PI Web API 2019 SP1.= OSIsoft also recommends affected users implement the following measures to reduce exploitation:
• Avoid adding authentication type anonymous in PI Web API configuration settings to limit exposure to authenticated users only.
• Consider using a web application firewall to block HTML responses from PI Web API servers.
• Limit write access to PI Server to trusted users.
• Remove PI Web API write access to PI AF servers with the “DisableWrite” setting. For more information on the “DisableWrite” setting, please consult the PI Web API User Guide.
• Enable IE Enhanced Security Configuration on Windows servers where the Desktop Experience feature is installed.

Affected Vendors

Affected Products (1)

Affected Sectors

Chemical, Critical Manufacturing, Energy, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Water and Wastewater Systems