Security News > 2020 > June > Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure
A stored cross-site scripting vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.
Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.
OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.
Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System.
Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server.
News URL
Related news
- FortiManager critical vulnerability under active attack (source)
- Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks (source)
- Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)