CVE-2015-1013

Name of the Vulnerable Software and Affected Versions OSIsoft PI AF versions 2.6 through 2.7 PI SQL for AF version 2.1.2.19

Description The issue is related to the lack of protection in the SQL query structure, allowing remote authenticated users to bypass intended command restrictions via SQL statements. This can be exploited by including an account in the Trusted Users group and excluding it from the Everyone group, thus enabling the bypass of SQL command limitations.

Recommendations For OSIsoft PI AF versions 2.6 through 2.7, ensure the PI SQL (AF) Trusted Users group does not include the Everyone account to prevent bypassing of command restrictions. For PI SQL for AF version 2.1.2.19, restrict access to the Trusted Users group and remove the Everyone account from it to mitigate the risk of exploitation.