...
Grid Protection Alliance
Grid Solutions Division

Permanent Cross-Site-Scripting Vulnerability in openPDC and openHistorian

March 2025
Vulnerability
...

Date Published: March 25, 2025

Affects: openPDC v2.9.349 and earlier, openHistorian v2.8.463 and earlier

Severity: Medium

Overview

A critical vulnerability has been identified in openPDC and openHistorian, which allows an attacker with access to an authenticated user account to perform permanent Cross-Site-Scripting (XSS) resulting in the execution of arbitrary JavaScript code when any user accesses the web interface. This flaw can potentially lead to the remote execution of arbitrary commands, allowing an attacker to execute unauthorized code on affected systems.

Vulnerability Details

The vulnerability occurs when a user has access to modify or add a new device, user, or other configuration object. During the insert or update of the object the authenticated user can define arbitrary JS code which gets executed when any user looks at that configuration object. The affected feature fails to properly validate and sanitize user-supplied parameters, such as Names, Acronyms etc., triggering the ability for XSS.

Impact

If successfully exploited, an attacker could:

Execute arbitrary JS commands on an end-user's web browser.

Potentially gain access to Session Cookies and User Access Data.

Mitigation/Remediation

GPA has released a patch for this issue included in openPDC v2.9.350.0 and openHistorian v2.8.464.0

Ensure password complexity requirements are sufficient: In order to exploit this vulnerability an attacker needs access to an authenticated user account.

Monitor logs for unusual activity: Review system and application logs for signs of unauthorized access or attempts to exploit this vulnerability.

Fix Information

A patch addressing this vulnerability has been released. The vulnerability has been fixed in openPDC version 2.9.350.0 and later and openHistorian version 2.8.464.0 and later. We strongly recommend installation of the latest version available and keeping openPDC and openHistorian up to date.

Disclaimer

The information provided in this advisory is provided "as is" and does not guarantee the security of systems. We strongly recommend that users apply patches as soon as they are available and follow best practices for securing systems against known vulnerabilities.