CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-19006
https://notcve.org/view.php?id=CVE-2018-19006
OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The application contains a cross-site scripting vulnerability where displays that reference AF elements and attributes containing JavaScript are affected. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes. OSIsoft PI Vision, versiones PI Vision 2017 y PI Vision 2017 R2. La aplicación contiene una vulnerabilidad de tipo Cross-Site Scripting en la que se ven afectadas las presentaciones que hacen referencia a elementos AF y atributos que contienen JavaScript. Esta vulnerabilidad requiere la capacidad de usuarios AF autorizados para almacenar JavaScript en elementos y atributos AF. • https://ics-cert.us-cert.gov/advisories/ICSA-19-043-01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9641
https://notcve.org/view.php?id=CVE-2017-9641
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability. PI Coresight 2016 R2 contiene una vulnerabilidad de Cross-Site Request Forgery (CSRF) que podría permitir el acceso al sistema PI. OSIsoft recomienda que los usuarios actualicen a PI Vision 2017 o siguientes para mitigar esta vulnerabilidad. • http://www.securityfocus.com/bid/99540 https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04 https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00320 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2016-8365
https://notcve.org/view.php?id=CVE-2016-8365
OSIsoft PI System software (Applications using PI Asset Framework (AF) Client versions prior to PI AF Client 2016, Version 2.8.0; Applications using PI Software Development Kit (SDK) versions prior to PI SDK 2016, Version 1.4.6; PI Buffer Subsystem, versions prior to and including, Version 4.4; and PI Data Archive versions prior to PI Data Archive 2015, Version 3.4.395.64) operates between endpoints without a complete model of endpoint features potentially causing the product to perform actions based on this incomplete model, which could result in a denial of service. OSIsoft reports that in order to exploit the vulnerability an attacker would need to be locally connected to a server. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) El software OSIsoft PI System, en aplicaciones que emplean PI Asset Framework (AF) Client en versiones anteriores a PI AF Client 2016 2.8.0; aplicaciones que emplean PI Software Development Kit (SDK) en versiones anteriores a PI SDK 2016 1.4.6; PI Buffer Subsystem, en versiones anteriores a (e incluyendo) 4.4; y PI Data Archive en versiones anteriores a PI Data Archive 2015 3.4.395.64, opera entre endpoints sin un modelo completo de características de endpoint. Esto podría provocar que el producto realice acciones basado en este modelo incompleto, desembocando en una denegación de servicio. OSIsoft informa que, para explotar esta vulnerabilidad, un atacante necesitaría estar conectado localmente a un servidor. • http://www.securityfocus.com/bid/94165 https://ics-cert.us-cert.gov/advisories/ICS-VU-313-03 https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00308 • CWE-284: Improper Access Control CWE-437: Incomplete Model of Endpoint Features •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-7508
https://notcve.org/view.php?id=CVE-2018-7508
A Cross-site Scripting issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Cross-site scripting may occur when input is incorrectly neutralized. e ha descubierto un problema de Cross-Site Scripting (XSS) en OSIsoft PI Web API, versiones 2017 R2 y anteriores. Podría darse Cross-Site Scripting (XSS) cuando las entradas se neutralizan de forma incorrecta. • http://www.securityfocus.com/bid/103396 https://ics-cert.us-cert.gov/advisories/ICSA-18-072-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7496
https://notcve.org/view.php?id=CVE-2018-7496
An Information Exposure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The server response header and referrer-policy response header each provide unintended information disclosure. Se ha descubierto un problema de exposición de información en OSIsoft PI Vision, en versiones 2017 y anteriores. Tanto la cabecera de respuesta del servidor como la cabecera de respuesta de referrer-policy proporcionan una divulgación de información no deseada. • http://www.securityfocus.com/bid/103390 https://ics-cert.us-cert.gov/advisories/ICSA-18-072-03 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •