Details of VAR-201708-1405

ID

VAR-201708-1405

CVE

CVE-2017-9655

TITLE

OSIsoft PI Integrator Cross-Site Scripting Vulnerability

Trust: 1.4

sources: IVD: b736db0c-4a0d-4b79-a22a-798941a2ff2f // CNVD: CNVD-2017-22840 // CNNVD: CNNVD-201706-582

DESCRIPTION

A Cross-Site Scripting issue was discovered in OSIsoft PI Integrator for Business Analytics before 2016 R2, PI Integrator for Microsoft Azure before 2016 R2 SP1, and PI Integrator for SAP HANA before 2017. An attacker may be able to upload a malicious script that attempts to redirect users to a malicious web site. OSIsoft PI Integrator Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. OSIsoft PI Integrator is a tool for OSIsoft to provide visual data for external systems. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or gain elevated privileges and perform unauthorized actions. This may aid in further attacks

Trust: 2.61

sources: NVD: CVE-2017-9655 // JVNDB: JVNDB-2017-007178 // CNVD: CNVD-2017-22840 // BID: 100212 // IVD: b736db0c-4a0d-4b79-a22a-798941a2ff2f

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: b736db0c-4a0d-4b79-a22a-798941a2ff2f // CNVD: CNVD-2017-22840

AFFECTED PRODUCTS

vendor:	osisoft	model:	pi integrator for sap hana	scope:	lt	version:	2017	Trust: 1.4
vendor:	osisoft	model:	pi integrator for business analystics	scope:	lte	version:	2016	Trust: 1.0
vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	lte	version:	2016	Trust: 1.0
vendor:	osisoft	model:	pi integrator for sap hana	scope:	lte	version:	2016	Trust: 1.0
vendor:	osisoft	model:	pi integrator for business analytics	scope:	lt	version:	2016 r2	Trust: 0.8
vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	lt	version:	2016 r2 sp1	Trust: 0.8
vendor:	osisoft	model:	pi integrator for business analytics r2	scope:	lt	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for microsoft azure r2 sp1	scope:	lt	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	eq	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for sap hana	scope:	eq	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for business analystics	scope:	eq	version:	2016	Trust: 0.6
vendor:	osisoft	model:	pi integrator for sap hana	scope:	eq	version:	20160	Trust: 0.3
vendor:	osisoft	model:	pi integrator for microsoft azure	scope:	eq	version:	20160	Trust: 0.3
vendor:	osisoft	model:	pi integrator for business analytics and sap hana sql utility	scope:	eq	version:	2016	Trust: 0.3
vendor:	osisoft	model:	pi integrator for business analytics 2016-business intelligence	scope:	eq	version:	0	Trust: 0.3
vendor:	osisoft	model:	pi integrator for business analytics data warehouse	scope:	eq	version:	2016-0	Trust: 0.3
vendor:	pi integrator for business analystics	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pi integrator for microsoft azure	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pi integrator for sap hana	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: b736db0c-4a0d-4b79-a22a-798941a2ff2f // CNVD: CNVD-2017-22840 // BID: 100212 // JVNDB: JVNDB-2017-007178 // CNNVD: CNNVD-201706-582 // NVD: CVE-2017-9655

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9655
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-9655
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-22840
value:	LOW
Trust: 0.6
CNNVD:	CNNVD-201706-582
value:	LOW
Trust: 0.6
IVD:	b736db0c-4a0d-4b79-a22a-798941a2ff2f
value:	LOW
Trust: 0.2

nvd@nist.gov:	CVE-2017-9655
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-22840
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	b736db0c-4a0d-4b79-a22a-798941a2ff2f
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-9655
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: IVD: b736db0c-4a0d-4b79-a22a-798941a2ff2f // CNVD: CNVD-2017-22840 // JVNDB: JVNDB-2017-007178 // CNNVD: CNNVD-201706-582 // NVD: CVE-2017-9655

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-007178 // NVD: CVE-2017-9655

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-582

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201706-582

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007178

PATCH

title:	AL00324 - Security updates for PI Integrator For Business Analytics 2016, PI Integrator for Microsoft Azure 2016, and PI Integrator for SAP HANA 2016	url:	https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00324	Trust: 0.8
title:	Patch for OSIsoft PI Integrator Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/100819	Trust: 0.6

sources: CNVD: CNVD-2017-22840 // JVNDB: JVNDB-2017-007178

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9655	Trust: 3.5
db:	ICS CERT	id:	ICSA-17-220-01	Trust: 3.3
db:	BID	id:	100212	Trust: 1.9
db:	CNVD	id:	CNVD-2017-22840	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-582	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-007178	Trust: 0.8
db:	IVD	id:	B736DB0C-4A0D-4B79-A22A-798941A2FF2F	Trust: 0.2

sources: IVD: b736db0c-4a0d-4b79-a22a-798941a2ff2f // CNVD: CNVD-2017-22840 // BID: 100212 // JVNDB: JVNDB-2017-007178 // CNNVD: CNNVD-201706-582 // NVD: CVE-2017-9655

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-220-01	Trust: 3.3
url:	https://techsupport.osisoft.com/troubleshooting/alerts/al00324	Trust: 1.9
url:	http://www.securityfocus.com/bid/100212	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9655	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9655	Trust: 0.8
url:	https://techsupport.osisoft.com/products/pi-integrators/	Trust: 0.3

sources: CNVD: CNVD-2017-22840 // BID: 100212 // JVNDB: JVNDB-2017-007178 // CNNVD: CNNVD-201706-582 // NVD: CVE-2017-9655

CREDITS

OSIsoft

Trust: 0.3

sources: BID: 100212

SOURCES

db:	IVD	id:	b736db0c-4a0d-4b79-a22a-798941a2ff2f
db:	CNVD	id:	CNVD-2017-22840
db:	BID	id:	100212
db:	JVNDB	id:	JVNDB-2017-007178
db:	CNNVD	id:	CNNVD-201706-582
db:	NVD	id:	CVE-2017-9655

LAST UPDATE DATE

2025-04-20T23:35:46.986000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-22840	date:	2017-08-25T00:00:00
db:	BID	id:	100212	date:	2017-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-007178	date:	2017-09-13T00:00:00
db:	CNNVD	id:	CNNVD-201706-582	date:	2017-08-15T00:00:00
db:	NVD	id:	CVE-2017-9655	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	b736db0c-4a0d-4b79-a22a-798941a2ff2f	date:	2017-08-25T00:00:00
db:	CNVD	id:	CNVD-2017-22840	date:	2017-08-09T00:00:00
db:	BID	id:	100212	date:	2017-08-08T00:00:00
db:	JVNDB	id:	JVNDB-2017-007178	date:	2017-09-13T00:00:00
db:	CNNVD	id:	CNNVD-201706-582	date:	2017-06-15T00:00:00
db:	NVD	id:	CVE-2017-9655	date:	2017-08-14T16:29:00.287