Details of VAR-202006-0319

ID

VAR-202006-0319

CVE

CVE-2020-12021

TITLE

OSIsoft Made PI Web API 2019 Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005435

DESCRIPTION

In OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions, the affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to remotely execute arbitrary code. PI Web API Is PI System Used when accessing RESTful The interface. This product supports client applications to read and write access to its AF and PI data via HTTPS

Trust: 2.16

sources: NVD: CVE-2020-12021 // JVNDB: JVNDB-2020-005435 // CNVD: CNVD-2020-51561

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-51561

AFFECTED PRODUCTS

vendor:	osisoft	model:	pi web api	scope:	eq	version:	2019	Trust: 1.0
vendor:	osisoft	model:	pi web api	scope:	lte	version:	2019	Trust: 1.0
vendor:	osisoft	model:	pi web api	scope:	eq	version:	2019 patch 1 (1.12.0.6346)	Trust: 0.8
vendor:	osisoft	model:	pi web api patch	scope:	lte	version:	<=20191(1.12.0.6346)	Trust: 0.6

sources: CNVD: CNVD-2020-51561 // JVNDB: JVNDB-2020-005435 // NVD: CVE-2020-12021

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12021
value:	CRITICAL
Trust: 1.0
IPA:	JVNDB-2020-005435
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2020-51561
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202006-921
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2020-12021
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
CNVD:	CNVD-2020-51561
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2020-12021
baseSeverity:	CRITICAL
baseScore:	9.0
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.3
impactScore:	6.0
version:	3.1
Trust: 1.0
IPA score:	JVNDB-2020-005435
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-51561 // JVNDB: JVNDB-2020-005435 // CNNVD: CNNVD-202006-921 // NVD: CVE-2020-12021

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2020-005435 // NVD: CVE-2020-12021

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-921

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202006-921

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-005435

PATCH

title:	PI Web API	url:	https://techsupport.osisoft.com/Documentation/PI-Web-API/help.html	Trust: 0.8
title:	Patch for OSIsoft PI Web API cross-site scripting vulnerability (CNVD-2020-51561)	url:	https://www.cnvd.org.cn/patchInfo/show/233590	Trust: 0.6
title:	OSIsoft PI Web API Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=122995	Trust: 0.6

sources: CNVD: CNVD-2020-51561 // JVNDB: JVNDB-2020-005435 // CNNVD: CNNVD-202006-921

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12021	Trust: 3.0
db:	ICS CERT	id:	ICSA-20-163-01	Trust: 3.0
db:	JVN	id:	JVNVU92610962	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-005435	Trust: 0.8
db:	CNVD	id:	CNVD-2020-51561	Trust: 0.6
db:	NSFOCUS	id:	47160	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.2064	Trust: 0.6
db:	CNNVD	id:	CNNVD-202006-921	Trust: 0.6

sources: CNVD: CNVD-2020-51561 // JVNDB: JVNDB-2020-005435 // CNNVD: CNNVD-202006-921 // NVD: CVE-2020-12021

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-163-01	Trust: 3.0
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-12021	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu92610962/	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/47160	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12021	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.2064/	Trust: 0.6

sources: CNVD: CNVD-2020-51561 // JVNDB: JVNDB-2020-005435 // CNNVD: CNNVD-202006-921 // NVD: CVE-2020-12021

SOURCES

db:	CNVD	id:	CNVD-2020-51561
db:	JVNDB	id:	JVNDB-2020-005435
db:	CNNVD	id:	CNNVD-202006-921
db:	NVD	id:	CVE-2020-12021

LAST UPDATE DATE

2024-11-23T22:25:26.745000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-51561	date:	2020-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2020-005435	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202006-921	date:	2020-07-16T00:00:00
db:	NVD	id:	CVE-2020-12021	date:	2024-11-21T04:59:07.807

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-51561	date:	2020-09-11T00:00:00
db:	JVNDB	id:	JVNDB-2020-005435	date:	2020-06-15T00:00:00
db:	CNNVD	id:	CNNVD-202006-921	date:	2020-06-11T00:00:00
db:	NVD	id:	CVE-2020-12021	date:	2020-06-23T22:15:13.980