AVEVA PI Web API Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in AVEVA PI Web API versions 2023 SP1 and prior. This vulnerability allows an authenticated attacker, with permissions to create or update annotations or upload media files, to inject arbitrary JavaScript code. The injected code could be executed by users who are manipulated into disabling content security policy protections while viewing annotation attachments in a web browser.

Impact

Exploitation of this vulnerability could lead to the execution of injected JavaScript code in the context of the user's browser, potentially allowing for further exploitation or manipulation of the user's session.

Remediation

Users should update to AVEVA PI Web API version 2023 SP1 Patch 1 or higher. Additionally, review and update the file extensions allowlist for annotation attachments to remove potentially vulnerable file types. Consider implementing IT policies to prevent users from disabling content security policy protections in their web browsers. Inform users to retrieve annotation attachments through direct REST requests to PI Web API instead of using the browser interface. Audit assigned privileges to ensure that only trusted users have annotation access rights.