{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2745", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-03-24T16:30:31.847Z", "datePublished": "2025-06-12T19:42:27.001Z", "dateUpdated": "2025-06-12T20:09:34.976Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PI Web API", "vendor": "AVEVA", "versions": [{"lessThanOrEqual": "2023 SP1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "AVEVA reported this vulnerability to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A cross-site scripting vulnerability exists in AVEVA&nbsp;PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser."}], "value": "A cross-site scripting vulnerability exists in AVEVA\u00a0PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 4.5, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-06-12T19:42:27.001Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08"}, {"url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>AVEVA recommends that organizations evaluate the impact of these \nvulnerabilities based on their operational environment, architecture, \nand product implementation. Users of affected product versions should \napply security updates to mitigate the risk of exploit.</p><p>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSISoft Customer Portal</a>, search for \"PI Web API\" and select version 2023 SP1 Patch 1 or higher.&nbsp;<br>\nFor additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2025-003</a>.\n\n<br></p>"}], "value": "AVEVA recommends that organizations evaluate the impact of these \nvulnerabilities based on their operational environment, architecture, \nand product implementation. Users of affected product versions should \napply security updates to mitigate the risk of exploit.\n\nFrom OSISoft Customer Portal https://my.osisoft.com/ , search for \"PI Web API\" and select version 2023 SP1 Patch 1 or higher.\u00a0\n\nFor additional information please refer to AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ ."}], "source": {"advisory": "ICSA-25-162-08", "discovery": "INTERNAL"}, "title": "AVEVA PI Web API Cross-site Scripting", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>AVEVA further recommends users follow general defensive measures:</p>\n<ul>\n<li>Review and update the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html\">file extensions allowlist</a></li></ul><li> for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).</li>\n<li>Consider implementing IT policies that would prevent users from \nsubverting/disabling content security policy browser protections.</li>\n<li>Inform PI Web API users that annotation attachments should be \nretrieved through direct REST requests to PI Web API rather than \nrendering them in the browser interface.</li>\n<li>Audit assigned privileges to ensure that only trusted users are given \"Annotate\" <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html\">access rights</a></li><p>For additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2025-003</a>.\n\n<br></p>"}], "value": "AVEVA further recommends users follow general defensive measures:\n\n\n\n * Review and update the file extensions allowlist https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html \n\n\n * for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).\n\n * Consider implementing IT policies that would prevent users from \nsubverting/disabling content security policy browser protections.\n\n * Inform PI Web API users that annotation attachments should be \nretrieved through direct REST requests to PI Web API rather than \nrendering them in the browser interface.\n\n * Audit assigned privileges to ensure that only trusted users are given \"Annotate\" access rights https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html \nFor additional information please refer to AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ ."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-12T20:09:20.915656Z", "id": "CVE-2025-2745", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-12T20:09:34.976Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2745", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-12T20:09:20.915656Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-12T20:09:24.567Z"}}], "cna": {"title": "AVEVA PI Web API Cross-site Scripting", "source": {"advisory": "ICSA-25-162-08", "discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "AVEVA reported this vulnerability to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AVEVA", "product": "PI Web API", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2023 SP1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "AVEVA recommends that organizations evaluate the impact of these \nvulnerabilities based on their operational environment, architecture, \nand product implementation. Users of affected product versions should \napply security updates to mitigate the risk of exploit.\n\nFrom OSISoft Customer Portal https://my.osisoft.com/ , search for \"PI Web API\" and select version 2023 SP1 Patch 1 or higher.\u00a0\n\nFor additional information please refer to AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ .", "supportingMedia": [{"type": "text/html", "value": "<p>AVEVA recommends that organizations evaluate the impact of these \nvulnerabilities based on their operational environment, architecture, \nand product implementation. Users of affected product versions should \napply security updates to mitigate the risk of exploit.</p><p>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSISoft Customer Portal</a>, search for \"PI Web API\" and select version 2023 SP1 Patch 1 or higher.&nbsp;<br>\nFor additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2025-003</a>.\n\n<br></p>", "base64": false}]}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08"}, {"url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/"}], "workarounds": [{"lang": "en", "value": "AVEVA further recommends users follow general defensive measures:\n\n\n\n * Review and update the file extensions allowlist https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html \n\n\n * for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).\n\n * Consider implementing IT policies that would prevent users from \nsubverting/disabling content security policy browser protections.\n\n * Inform PI Web API users that annotation attachments should be \nretrieved through direct REST requests to PI Web API rather than \nrendering them in the browser interface.\n\n * Audit assigned privileges to ensure that only trusted users are given \"Annotate\" access rights https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html \nFor additional information please refer to AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ .", "supportingMedia": [{"type": "text/html", "value": "<p>AVEVA further recommends users follow general defensive measures:</p>\n<ul>\n<li>Review and update the <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html\">file extensions allowlist</a></li></ul><li> for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, ...).</li>\n<li>Consider implementing IT policies that would prevent users from \nsubverting/disabling content security policy browser protections.</li>\n<li>Inform PI Web API users that annotation attachments should be \nretrieved through direct REST requests to PI Web API rather than \nrendering them in the browser interface.</li>\n<li>Audit assigned privileges to ensure that only trusted users are given \"Annotate\" <a target=\"_blank\" rel=\"nofollow\" href=\"https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html\">access rights</a></li><p>For additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2025-003</a>.\n\n<br></p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting vulnerability exists in AVEVA\u00a0PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser.", "supportingMedia": [{"type": "text/html", "value": "A cross-site scripting vulnerability exists in AVEVA&nbsp;PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-06-12T19:42:27.001Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2745", "state": "PUBLISHED", "dateUpdated": "2025-06-12T20:09:34.976Z", "dateReserved": "2025-03-24T16:30:31.847Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-06-12T19:42:27.001Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting vulnerability exists in AVEVA\u00a0PI Web API version 2023 \nSP1 and prior that, if exploited, could allow an authenticated attacker \n(with privileges to create/update annotations or upload media files) to \npersist arbitrary JavaScript code that will be executed by users who \nwere socially engineered to disable content security policy protections \nwhile rendering annotation attachments from within a web browser."}, {"lang": "es", "value": "Existe una vulnerabilidad de cross-site scripting en AVEVA PI Web API versi\u00f3n 2023 SP1 y anteriores que, de ser explotada, podr\u00eda permitir que un atacante autenticado (con privilegios para crear o actualizar anotaciones o cargar archivos multimedia) persista c\u00f3digo JavaScript arbitrario que ser\u00e1 ejecutado por usuarios que fueron manipulados socialmente para deshabilitar las protecciones de la pol\u00edtica de seguridad de contenido mientras procesan archivos adjuntos de anotaciones desde un navegador web."}], "id": "CVE-2025-2745", "lastModified": "2025-06-16T12:32:18.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.7, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-06-12T20:15:21.040", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.aveva.com/en/support-and-success/cyber-security-updates/"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}

{}