OSIsoft PI Web API 2019 (ICSA-20-163-01) – Product Used in the Water and Wastewater and Energy Sectors

CISA has published an advisory on a cross-site scripting vulnerability in OSIsoft PI Web API 2019. PI Web API 2019 Patch 1 (1.12.0.6346) and all previous versions are affected. Successful exploitation of this vulnerability could allow a remote authenticated attacker with write access to a PI Server to trick a user into interacting with a PI Web API endpoint that executes arbitrary JavaScript in the user’s browser, resulting in view, modification, or deletion of data as allowed for by the victim’s user permissions. OSIsoft recommends affected users upgrade to PI Web API 2019 SP1 as well as implement a series of measures to prevent exploitation. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.