How to fix CVE-2025-2745?

Within 30 days: Identify affected systems running AVEVA PI Web API and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Is AVEVA PI Web API affected by CVE-2025-2745?

Organizations using AVEVA PI Web API should be aware of notable risk from CVE-2025-2745, a cross-site scripting vulnerability rated CVSS 6.5. Attackers could inject scripts to steal sessions or perform actions as authenticated users.

AVEVA PI Web API CVE-2025-2745

EUVD-2025-18212 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-06-12 [email protected]

XSS

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 21:20 euvd

EUVD-2025-18212

Analysis Generated

Mar 14, 2026 - 21:20 vuln.today

CVE Published

Jun 12, 2025 - 20:15 nvd

MEDIUM 6.5

DescriptionNVD

A cross-site scripting vulnerability exists in AVEVA PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.

Analysis

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

CVE-2025-2745 vulnerability details – vuln.today

Back