Multiple vulnerabilities in OSIsoft PI Vision
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-18244 CVE-2019-18273 |
| CWE-ID | CWE-532 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PI Vision Client/Desktop applications / Multimedia software |
| Vendor | OSIsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU24315
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18244
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software records the service account password in the installation log files when a non-default service account and password are specified during installation or upgrade. A local attacker can gain access to sensitive information on the target system.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPI Vision: 2017 R2 - 2019
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-20-014-06
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site scripting
EUVDB-ID: #VU24316
Risk: Low
CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-18273
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsPI Vision: 2017 R2 - 2017 R2 SP1
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-20-014-06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
