OSIsoft PI Vision Cross Site Scripting and Information Disclosure Vulnerabilities

OSIsoft PI Vision is prone to a cross-site scripting vulnerability and multiple information-disclosure vulnerabilities.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
OSIsoft PI Vision 2017 and prior are vulnerable.

Information

Bugtraq ID: 103390
Class: Input Validation Error
CVE: CVE-2018-7496
CVE-2018-7504

Remote: Yes
Local: No
Published: Mar 13 2018 12:00AM
Updated: Mar 13 2018 12:00AM
Credit: The vendor reported these issues.
Vulnerable: OSISoft PI Vision 2017

Not Vulnerable: OSISoft PI Vision 2017 R2 Update 1

Exploit

An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI or by using readily available tools.

References:

• OSIsoft Home Page (OSIsoft)
  
• Advisory (ICSA-18-072-03) OSIsoft PI Vision (ICS-CERT)
  

Source: www.securityfocus.com