Sign-up

ID

VAR-201803-2205


CVE

CVE-2018-7508


TITLE

OSIsoft PI Web API Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1 // CNVD: CNVD-2018-05300 // CNNVD: CNNVD-201803-456

DESCRIPTION

A Cross-site Scripting issue was discovered in OSIsoft PI Web API versions 2017 R2 and prior. Cross-site scripting may occur when input is incorrectly neutralized. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or gain elevated privileges and perform unauthorized actions. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2018-7508 // JVNDB: JVNDB-2018-003014 // CNVD: CNVD-2018-05300 // BID: 103396 // IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1 // CNVD: CNVD-2018-05300

AFFECTED PRODUCTS

vendor:osisoftmodel:pi web apiscope:eqversion:2017

Trust: 1.6

vendor:osisoftmodel:pi web apiscope:lteversion:2017

Trust: 1.0

vendor:osisoftmodel:pi visionscope:lteversion:2017

Trust: 1.0

vendor:osisoftmodel:pi web apiscope:lteversion:2017 r2

Trust: 0.8

vendor:osisoftmodel:pi web api r2scope:lteversion:<=2017

Trust: 0.6

vendor:osisoftmodel:pi visionscope:eqversion:2017

Trust: 0.6

vendor:osisoftmodel:pi web api r2scope:eqversion:20170

Trust: 0.3

vendor:osisoftmodel:pi web api r2scope:eqversion:20160

Trust: 0.3

vendor:osisoftmodel:pi web api r2 sp1scope:neversion:20170

Trust: 0.3

vendor:osisoftmodel:pi vision r2 updatescope:neversion:20171

Trust: 0.3

vendor:osisoftmodel:pi af services r2 updatescope:neversion:201710

Trust: 0.3

vendor:pi web apimodel: - scope:eqversion:*

Trust: 0.2

vendor:pi web apimodel: - scope:eqversion:2017

Trust: 0.2

vendor:pi visionmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1 // CNVD: CNVD-2018-05300 // BID: 103396 // JVNDB: JVNDB-2018-003014 // CNNVD: CNNVD-201803-456 // NVD: CVE-2018-7508

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-7508
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-7508
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2018-05300
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201803-456
value: MEDIUM

Trust: 0.6

IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2018-7508
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-05300
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:H/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-7508
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1 // CNVD: CNVD-2018-05300 // JVNDB: JVNDB-2018-003014 // CNNVD: CNNVD-201803-456 // NVD: CVE-2018-7508

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-003014 // NVD: CVE-2018-7508

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201803-456

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201803-456

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-003014

PATCH
title:Top Pageurl:https://www.osisoft.com/
Trust: 0.8
title:Patch for OSIsoft PI Web API Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/121499
Trust: 0.6
title:OSIsoft PI Web API Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79106
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-05300 // 
            
            
            
            JVNDB: JVNDB-2018-003014 // 
            
            
            
            CNNVD: CNNVD-201803-456

EXTERNAL IDS
db:NVDid:CVE-2018-7508
Trust: 3.5
db:ICS CERTid:ICSA-18-072-04
Trust: 3.3
db:BIDid:103396
Trust: 1.9
db:CNVDid:CNVD-2018-05300
Trust: 0.8
db:CNNVDid:CNNVD-201803-456
Trust: 0.8
db:JVNDBid:JVNDB-2018-003014
Trust: 0.8
db:IVDid:E2E5C28F-39AB-11E9-AA1F-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2e5c28f-39ab-11e9-aa1f-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-05300 // 
            
            
            
            BID: 103396 // 
            
            
            
            JVNDB: JVNDB-2018-003014 // 
            
            
            
            CNNVD: CNNVD-201803-456 // 
            
            
            
            NVD: CVE-2018-7508

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-072-04
Trust: 3.3
url:http://www.securityfocus.com/bid/103396
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-7508
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-7508
Trust: 0.8
url:https://www.osisoft.com/default.aspx
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-05300 // 
            
            
            
            BID: 103396 // 
            
            
            
            JVNDB: JVNDB-2018-003014 // 
            
            
            
            CNNVD: CNNVD-201803-456 // 
            
            
            
            NVD: CVE-2018-7508

CREDITS
OSIsoft
Trust: 0.3
sources:
            
            
            BID: 103396

SOURCES
db:IVDid:e2e5c28f-39ab-11e9-aa1f-000c29342cb1
db:CNVDid:CNVD-2018-05300
db:BIDid:103396
db:JVNDBid:JVNDB-2018-003014
db:CNNVDid:CNNVD-201803-456
db:NVDid:CVE-2018-7508

LAST UPDATE DATE
2024-11-23T23:05:09.134000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-05300date:2018-03-14T00:00:00
db:BIDid:103396date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-003014date:2018-05-09T00:00:00
db:CNNVDid:CNNVD-201803-456date:2019-10-17T00:00:00
db:NVDid:CVE-2018-7508date:2024-11-21T04:12:15.993

SOURCES RELEASE DATE
db:IVDid:e2e5c28f-39ab-11e9-aa1f-000c29342cb1date:2018-03-14T00:00:00
db:CNVDid:CNVD-2018-05300date:2018-03-14T00:00:00
db:BIDid:103396date:2018-03-13T00:00:00
db:JVNDBid:JVNDB-2018-003014date:2018-05-09T00:00:00
db:CNNVDid:CNNVD-201803-456date:2018-03-14T00:00:00
db:NVDid:CVE-2018-7508date:2018-03-14T18:29:00.607