Security News > 2020 > June > Vulnerability in OSIsoft PI System Can Facilitate Attacks on Critical Infrastructure
A stored cross-site scripting vulnerability in OSIsoft PI System, a product often present in critical infrastructure facilities, can be exploited for phishing, privilege escalation and other purposes.
Researchers at industrial cybersecurity company OTORIO discovered that the PI Web API 2019 component of PI System is affected by a stored XSS vulnerability that allows an attacker with limited privileges on the targeted system to conduct various types of activities.
OSIsoft has released a patch for the security hole and it has advised customers to take steps to minimize the risk of attacks.
Dor Yardeni, incident response team leader at OTORIO, told SecurityWeek that in order to exploit this vulnerability an external attacker somehow needs to gain access to PI Server, the data storage and distribution engine that powers PI System.
Once they have access to PI Server, the attacker can exploit the stored XSS vulnerability to inject arbitrary JavaScript code into vulnerable fields in PI Server.
News URL
Related news
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical GitHub Attack (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Cisco Smart Licensing Utility flaws now exploited in attacks (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- UAT-5918 Targets Taiwan's Critical Infrastructure Using Web Shells and Open-Source Tools (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)