Severity

Medium

Analysis Summary

CVE-2020-25163

A remote attacker with write access to PI ProcessBook files could inject code that is imported into PI Vision. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. 

CVE-2020-25167

PI Vision could disclose information to a user with insufficient privileges for an AF attribute.

Impact

• Cross-site Scripting
• Incorrect Authorization

Affected Vendors

OSIsoft

Affected Products

All versions prior to PI Vision 2020 are affected

Remediation

OSIsoft released PI Vision 2020 Version 3.5.0 to address this vulnerability.