Security News > 2020 > June > Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure
A stored cross-site scripting vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.
Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.
OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.
Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System.
Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server.
News URL
Related news
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Russian military hackers linked to critical infrastructure attacks (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- SOCI Act 2024: Thales Report Reveals Critical Infrastructure Breaches in Australia (source)
- Food security: Accelerating national protections around critical infrastructure (source)
- Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data (source)
- Critical Flaws in Traccar GPS System Expose Users to Remote Attacks (source)
- SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access (source)