Sign-up

ID

VAR-201803-2204


CVE

CVE-2018-7504


TITLE

OSIsoft PI Vision Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1 // CNVD: CNVD-2018-05312 // CNNVD: CNNVD-201803-457

DESCRIPTION

A Protection Mechanism Failure issue was discovered in OSIsoft PI Vision versions 2017 and prior. The X-XSS-Protection response header is not set to block, allowing attempts at reflected cross-site scripting. OSIsoft PI Vision Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. PI Vision is the leading visualization tool for fast, easy and secure access to all PI SystemTM data. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks

Trust: 2.61

sources: NVD: CVE-2018-7504 // JVNDB: JVNDB-2018-003013 // CNVD: CNVD-2018-05312 // BID: 103390 // IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1 // CNVD: CNVD-2018-05312

AFFECTED PRODUCTS

vendor:osisoftmodel:pi visionscope:lteversion:2017

Trust: 1.8

vendor:osisoftmodel:pi visionscope:eqversion:2017

Trust: 0.9

vendor:osisoftmodel:pi visionscope:lteversion:<=2017

Trust: 0.8

vendor:osisoftmodel:pi vision r2 updatescope:neversion:20171

Trust: 0.3

sources: IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1 // CNVD: CNVD-2018-05312 // BID: 103390 // JVNDB: JVNDB-2018-003013 // CNNVD: CNNVD-201803-457 // NVD: CVE-2018-7504

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7504
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-7504
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-05312
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201803-457
value: MEDIUM

Trust: 0.6

IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2018-7504
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-05312
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-7504
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1 // CNVD: CNVD-2018-05312 // JVNDB: JVNDB-2018-003013 // CNNVD: CNNVD-201803-457 // NVD: CVE-2018-7504

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

problemtype:CWE-693

Trust: 1.0

sources: JVNDB: JVNDB-2018-003013 // NVD: CVE-2018-7504

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-457

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201803-457

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003013

PATCH
title:Top Pageurl:https://www.osisoft.com/
Trust: 0.8
title:Patch for OSIsoft PI Vision Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/121517
Trust: 0.6
title:OSIsoft PI Vision Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79107
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-05312 // 
            
            
            
            JVNDB: JVNDB-2018-003013 // 
            
            
            
            CNNVD: CNNVD-201803-457

EXTERNAL IDS
db:NVDid:CVE-2018-7504
Trust: 3.5
db:ICS CERTid:ICSA-18-072-03
Trust: 3.3
db:BIDid:103390
Trust: 1.9
db:CNVDid:CNVD-2018-05312
Trust: 0.8
db:CNNVDid:CNNVD-201803-457
Trust: 0.8
db:JVNDBid:JVNDB-2018-003013
Trust: 0.8
db:IVDid:E2E610B0-39AB-11E9-9D94-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2e610b0-39ab-11e9-9d94-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-05312 // 
            
            
            
            BID: 103390 // 
            
            
            
            JVNDB: JVNDB-2018-003013 // 
            
            
            
            CNNVD: CNNVD-201803-457 // 
            
            
            
            NVD: CVE-2018-7504

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-072-03
Trust: 3.3
url:http://www.securityfocus.com/bid/103390
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7504
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-7504
Trust: 0.8
url:https://www.osisoft.com/default.aspx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-05312 // 
            
            
            
            BID: 103390 // 
            
            
            
            JVNDB: JVNDB-2018-003013 // 
            
            
            
            CNNVD: CNNVD-201803-457 // 
            
            
            
            NVD: CVE-2018-7504

CREDITS
The vendor reported these issues.
Trust: 0.3
sources:
            
            
            BID: 103390

SOURCES
db:IVDid:e2e610b0-39ab-11e9-9d94-000c29342cb1
db:CNVDid:CNVD-2018-05312
db:BIDid:103390
db:JVNDBid:JVNDB-2018-003013
db:CNNVDid:CNNVD-201803-457
db:NVDid:CVE-2018-7504

LAST UPDATE DATE
2024-11-23T23:02:11.185000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-05312date:2018-03-15T00:00:00
db:BIDid:103390date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-003013date:2018-05-09T00:00:00
db:CNNVDid:CNNVD-201803-457date:2019-10-17T00:00:00
db:NVDid:CVE-2018-7504date:2024-11-21T04:12:15.587

SOURCES RELEASE DATE
db:IVDid:e2e610b0-39ab-11e9-9d94-000c29342cb1date:2018-03-15T00:00:00
db:CNVDid:CNVD-2018-05312date:2018-03-15T00:00:00
db:BIDid:103390date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-003013date:2018-05-09T00:00:00
db:CNNVDid:CNNVD-201803-457date:2018-03-14T00:00:00
db:NVDid:CVE-2018-7504date:2018-03-14T18:29:00.560