CSRF in Allen Disk in OSIsoft PI Web API



Published: 2017-06-15
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-7926
CWE-ID CWE-352
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		PI Data Archive
Client/Desktop applications / Software for archiving

Vendor OSIsoft

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Cross-site request forgery

EUVDB-ID: #VU7101

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7926

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote user to perform CSRF attack.

The weakness exists due to insufficient checking of the sent requests. A remote attacker can trick the victim into loading of specially crafted HTML, get access to the affected system and modify information on the target system.

Mitigation

Update to version 2017 (1.9.0).

Vulnerable software versions

PI Data Archive: 2015 - 2016

External links

http://techsupport.osisoft.com/Troubleshooting/Alerts/AL00316


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to open a a specially crafted archive.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###