Risk Summary
Successful exploitation of this vulnerability could allow an attacker to disable content security policy protections.
CVEs (1)
Remediations
- AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected product versions should apply security updates to mitigate the risk of exploit.
- From OSISoft Customer Portal, search for "PI Web API" and select version 2023 SP1 Patch 1 or higher.
- AVEVA further recommends users follow general defensive measures:
- Review and update the file extensions allowlist for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).
- Consider implementing IT policies that would prevent users from subverting/disabling content security policy browser protections.
- Inform PI Web API users that annotation attachments should be retrieved through direct REST requests to PI Web API rather than rendering them in the browser interface.
- Audit assigned privileges to ensure that only trusted users are given "Annotate" access rights.
- For additional information please refer to AVEVA-2025-003.
Affected Vendors
AVEVA
Affected Products (1)
AVEVA
·
PI Web API
<=2023_SP1
Affected Sectors
Critical Manufacturing
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more