Cross-Site Scripting Vulnerability in AVEVA PI Web API
CVE-2025-2745

4.5MEDIUM

Key Information:

Vendor: Aveva
Status: Pi Web Api
Vendor: CVE Published:; 12 June 2025

What is CVE-2025-2745?

A cross-site scripting vulnerability has been identified in the AVEVA PI Web API, which allows authenticated users with permissions to create or update annotations and upload media files to inject malicious JavaScript code. If successfully exploited, this code will execute in the browsers of users who have been manipulated into disabling security policies while viewing annotation attachments. This vulnerability poses a significant risk, especially in environments where security practices may not be strictly followed.

Affected Version(s)

PI Web API 0 <= 2023 SP1

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

https://www.aveva.com/en/support-and-success/cyber-securi...

CVSS V4

Score:

4.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2025
Vulnerability Reserved
Mar 24, 2025

Credit

AVEVA reported this vulnerability to CISA.

Aveva

What is CVE-2025-2745?

Affected Version(s)

References

CVSS V4

Timeline

Credit