{"api_version":"1","generated_at":"2026-06-13T19:31:59+00:00","cve":"CVE-2020-25163","urls":{"html":"https://cve.report/CVE-2020-25163","api":"https://cve.report/api/cve/CVE-2020-25163.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-25163","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-25163"},"summary":{"title":"CVE-2020-25163","description":"A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions.","state":"PUBLIC","assigner":"ics-cert@hq.dhs.gov","published_at":"2022-04-18 17:15:00","updated_at":"2022-04-27 03:21:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02","name":"https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02","refsource":"CONFIRM","tags":[],"title":"OSIsoft PI Vision | CISA","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-25163","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25163","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"OSIsoft reported these vulnerabilities to CISA","lang":""}],"nvd_cpes":[{"cve_year":"2020","cve_id":"25163","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"osisoft","cpe5":"pi_vision","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","ID":"CVE-2020-25163","STATE":"PUBLIC","TITLE":"OSIsoft PI Vision Cross-site Scripting"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"PI Vision","version":{"version_data":[{"version_affected":"<","version_value":"2020"}]}}]},"vendor_name":"OSIsoft"}]}},"credit":[{"lang":"eng","value":"OSIsoft reported these vulnerabilities to CISA"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A remote attacker with write access to PI ProcessBook files could inject code that is imported into OSIsoft PI Vision 2020 versions prior to 3.5.0. Unauthorized information disclosure, modification, or deletion is also possible if a victim views or interacts with the infected display. This vulnerability affects PI System data and other data accessible with victim’s user permissions."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79: Cross-site Scripting"}]}]},"references":{"reference_data":[{"name":"https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02","refsource":"CONFIRM","url":"https://www.cisa.gov/uscert/ics/advisories/icsa-20-315-02"}]},"solution":[{"lang":"eng","value":"OSIsoft released PI Vision 2020 Version 3.5.0, which resolves these vulnerabilities.\n\nRecommended defensive measures and related configuration settings are described on the OSIsoft customer portal (Login required)."}],"source":{"discovery":"INTERNAL"}},"nvd":{"publishedDate":"2022-04-18 17:15:00","lastModifiedDate":"2022-04-27 03:21:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.3,"baseSeverity":"HIGH"},"exploitabilityScore":2.1,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.9},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:osisoft:pi_vision:*:*:*:*:*:*:*:*","versionEndExcluding":"2020","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"25163","Ordinal":"186573","Title":"CVE-2020-25163","CVE":"CVE-2020-25163","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"25163","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}