Sign-up

ID

VAR-201904-0718


CVE

CVE-2018-19006


TITLE

OSIsoft PI Vision Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-015233

DESCRIPTION

OSIsoft PI Vision, versions PI Vision 2017, and PI Vision 2017 R2, The application contains a cross-site scripting vulnerability where displays that reference AF elements and attributes containing JavaScript are affected. This vulnerability requires the ability of authorized AF users to store JavaScript in AF elements and attributes. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. OSIsoft PI Vision 2017 and PI Vision 2017 R2 are vulnerable

Trust: 1.89

sources: NVD: CVE-2018-19006 // JVNDB: JVNDB-2018-015233 // BID: 107002

AFFECTED PRODUCTS

vendor:osisoftmodel:pi visionscope:eqversion:2017

Trust: 2.1

vendor:osisoftmodel:pi visionscope:eqversion:2017 r2

Trust: 0.8

vendor:osisoftmodel:pi vision r2scope:eqversion:2017

Trust: 0.3

vendor:osisoftmodel:pi vision r2 sp1scope:neversion:2017

Trust: 0.3

sources: BID: 107002 // JVNDB: JVNDB-2018-015233 // NVD: CVE-2018-19006

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-19006
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-19006
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201902-527
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-19006
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-19006
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-015233 // CNNVD: CNNVD-201902-527 // NVD: CVE-2018-19006

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-015233 // NVD: CVE-2018-19006

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-527

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201902-527

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015233

PATCH
title:Top Pageurl:https://www.osisoft.com/
Trust: 0.8
title:OSIsoft PI Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89338
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-015233 // 
            
            
            
            CNNVD: CNNVD-201902-527

EXTERNAL IDS
db:ICS CERTid:ICSA-19-043-01
Trust: 2.7
db:NVDid:CVE-2018-19006
Trust: 2.7
db:BIDid:107002
Trust: 0.9
db:JVNDBid:JVNDB-2018-015233
Trust: 0.8
db:CNNVDid:CNNVD-201902-527
Trust: 0.6
sources:
            
            
            BID: 107002 // 
            
            
            
            JVNDB: JVNDB-2018-015233 // 
            
            
            
            CNNVD: CNNVD-201902-527 // 
            
            
            
            NVD: CVE-2018-19006

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-043-01
Trust: 2.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-19006
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-19006
Trust: 0.8
url:http://www.securityfocus.com/bid/107002
Trust: 0.6
url:https://www.osisoft.com/default.aspx
Trust: 0.3
sources:
            
            
            BID: 107002 // 
            
            
            
            JVNDB: JVNDB-2018-015233 // 
            
            
            
            CNNVD: CNNVD-201902-527 // 
            
            
            
            NVD: CVE-2018-19006

CREDITS
OSIsoft reported this vulnerability to NCCIC.,The vendor reported these issues.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-527

SOURCES
db:BIDid:107002
db:JVNDBid:JVNDB-2018-015233
db:CNNVDid:CNNVD-201902-527
db:NVDid:CVE-2018-19006

LAST UPDATE DATE
2024-11-23T22:25:57.370000+00:00

SOURCES UPDATE DATE
db:BIDid:107002date:2019-02-12T00:00:00
db:JVNDBid:JVNDB-2018-015233date:2019-05-15T00:00:00
db:CNNVDid:CNNVD-201902-527date:2019-04-19T00:00:00
db:NVDid:CVE-2018-19006date:2024-11-21T03:57:09.090

SOURCES RELEASE DATE
db:BIDid:107002date:2019-02-12T00:00:00
db:JVNDBid:JVNDB-2018-015233date:2019-05-15T00:00:00
db:CNNVDid:CNNVD-201902-527date:2019-02-12T00:00:00
db:NVDid:CVE-2018-19006date:2019-04-08T15:29:00.763