CVE-2020-25163 - Vulnerability Details - OpenCVE

A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0024.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Osisoft	Pi Vision

Configuration 1 [-]

cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-17854	A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.

Fixes

Solution

OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities. Recommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required).

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02

History

Wed, 16 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-04-18T16:20:45.000Z

Updated: 2025-04-16T17:55:26.780Z

Reserved: 2020-09-04T00:00:00.000Z

Link: CVE-2020-25163

Vulnrichment

Updated: 2024-08-04T15:26:09.485Z

NVD

Status : Modified

Published: 2022-04-18T17:15:12.230

Modified: 2024-11-21T05:17:31.017

Link: CVE-2020-25163

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "PI Vision", "vendor": "OSIsoft", "versions": [{"lessThan": "2020", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "OSIsoft reported these vulnerabilities to CISA"}], "descriptions": [{"lang": "en", "value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Cross-site Scripting", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-18T16:20:45.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"}], "solutions": [{"lang": "en", "value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."}], "source": {"discovery": "INTERNAL"}, "title": "OSIsoft PI Vision Cross-site Scripting", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2020-25163", "STATE": "PUBLIC", "TITLE": "OSIsoft PI Vision Cross-site Scripting"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PI Vision", "version": {"version_data": [{"version_affected": "<", "version_value": "2020"}]}}]}, "vendor_name": "OSIsoft"}]}}, "credit": [{"lang": "eng", "value": "OSIsoft reported these vulnerabilities to CISA"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Cross-site Scripting"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"}]}, "solution": [{"lang": "en", "value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."}], "source": {"discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:26:09.485Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-16T17:29:40.461576Z", "id": "CVE-2020-25163", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T17:55:26.780Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2020-25163", "datePublished": "2022-04-18T16:20:45.000Z", "dateReserved": "2020-09-04T00:00:00.000Z", "dateUpdated": "2025-04-16T17:55:26.780Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:26:09.485Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-25163", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T17:29:40.461576Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-16T17:29:41.787Z"}}], "cna": {"title": "OSIsoft PI Vision Cross-site Scripting", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "value": "OSIsoft reported these vulnerabilities to CISA"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OSIsoft", "product": "PI Vision", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2020", "versionType": "custom"}]}], "solutions": [{"lang": "en", "value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."}], "references": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Cross-site Scripting"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2022-04-18T16:20:45.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "OSIsoft reported these vulnerabilities to CISA"}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"discovery": "INTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2020", "version_affected": "<"}]}, "product_name": "PI Vision"}]}, "vendor_name": "OSIsoft"}]}}, "solution": [{"lang": "en", "value": "OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02", "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Cross-site Scripting"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-25163", "STATE": "PUBLIC", "TITLE": "OSIsoft PI Vision Cross-site Scripting", "ASSIGNER": "ics-cert@hq.dhs.gov"}}}}, "cveMetadata": {"cveId": "CVE-2020-25163", "state": "PUBLISHED", "dateUpdated": "2025-04-16T17:55:26.780Z", "dateReserved": "2020-09-04T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2022-04-18T16:20:45.000Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*", "matchCriteriaId": "D871A52C-B847-408D-8C8C-1D4589C0A6F8", "versionEndExcluding": "2020", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim\u2019s user permissions."}, {"lang": "es", "value": "Un atacante remoto con acceso de escritura a los archivos PI ProcessBook podr\u00eda inyectar c\u00f3digo importado en OSIsoft PI Vision 2020 versiones anteriores a 3.5.0. Tambi\u00e9n es posible la divulgaci\u00f3n, modificaci\u00f3n o eliminaci\u00f3n de informaci\u00f3n no autorizada si una v\u00edctima visualiza o interact\u00faa con la pantalla infectada. Esta vulnerabilidad afecta a los datos del Sistema PI y a otros datos accesibles con los permisos de usuario de la v\u00edctima"}], "id": "CVE-2020-25163", "lastModified": "2024-11-21T05:17:31.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.8, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-18T17:15:12.230", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}