CVE-2025-2745
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Summary
A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AVEVA | PI Web API | 0 <= 2023 SP1 | affected |
Weaknesses
- CWE-79: CWE-79
Workarounds
AVEVA further recommends users follow general defensive measures:
Review and update the file extensions allowlist https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1022248.html
for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, …).
Consider implementing IT policies that would prevent users from subverting/disabling content security policy browser protections.
Inform PI Web API users that annotation attachments should be retrieved through direct REST requests to PI Web API rather than rendering them in the browser interface.
Audit assigned privileges to ensure that only trusted users are given "Annotate" access rights https://docs.aveva.com/bundle/pi-server-f-af-pse/page/1020021.html For additional information please refer to AVEVA-2025-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/ .
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08
- https://www.aveva.com/en/support-and-success/cyber-security-updates/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.