CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-2745: AVEVA PI Web API Cross-site Scripting

6.5 CVSS

Description

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023
SP1 and prior that, if exploited, could allow an authenticated attacker
(with privileges to create/update annotations or upload media files) to
persist arbitrary JavaScript code that will be executed by users who
were socially engineered to disable content security policy protections
while rendering annotation attachments from within a web browser.

Classification

CVE ID: CVE-2025-2745

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Problem Types

CWE-79

Affected Products

Vendor: AVEVA

Product: PI Web API

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.76% (scored less or equal to compared to others)

EPSS Date: 2025-07-09 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-2745
https://www.cisa.gov/news-events/ics-advisories/icsa-25-162-08
https://www.aveva.com/en/support-and-success/cyber-security-updates/

Timeline

2025-06-12 16:15:27 UTC
All CISA Advisories

AVEVA PI Web API
2025-06-12 20:40:17 UTC
CVE

AVEVA PI Web API Cross-site Scripting