CVSS: 8.3EPSS: 3%CPEs: 2EXPL: 1CVE-2022-36126
https://notcve.org/view.php?id=CVE-2022-36126
16 Jul 2022 — An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. La función ScriptInvoke permite a atacantes remotos ejecutar código arbitrario mediante el suministro de un script de Python • https://github.com/sourceincite/randy • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-35890
https://notcve.org/view.php?id=CVE-2022-35890
15 Jul 2022 — An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. Los identificadores de sesión de los clientes Designer y Vision son manejados de forma inapropiada. • https://github.com/sourceincite/randy • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1706 – ignition: configs are accessible from unprivileged containers in VMs running on VMware products
https://notcve.org/view.php?id=CVE-2022-1706
17 May 2022 — A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config. Se ha encontrado una vulnerabilidad en Ignition en la que las configuraciones de encendido son accesibles desde contenedores no privilegiados ... • https://bugzilla.redhat.com/show_bug.cgi?id=2082274 • CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43996
https://notcve.org/view.php?id=CVE-2021-43996
17 Nov 2021 — The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control. El componente Ignition versiones anteriores a 1.16.15, y versiones 2.0.x anteriores a 2.0.6, para Laravel presenta una función "fix variable names" que puede conllevar un control de acceso incorrecto. • https://github.com/facade/ignition/compare/1.16.14...1.16.15 •
CVSS: 5.3EPSS: 0%CPEs: 20EXPL: 1CVE-2021-24219 – All Thrive Themes and Plugins - Unauthenticated Option Update
https://notcve.org/view.php?id=CVE-2021-24219
12 Apr 2021 — The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5,... • https://wpscan.com/vulnerability/35acd2d8-85fc-4af5-8f6c-224fa7d92900 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 9.1EPSS: 0%CPEs: 10EXPL: 1CVE-2021-24220 – All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
https://notcve.org/view.php?id=CVE-2021-24220
24 Mar 2021 — Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Them... • https://wpscan.com/vulnerability/a2424354-2639-4f53-a24f-afc11f6c4cac • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 94%CPEs: 2EXPL: 36CVE-2021-3129 – Laravel Ignition File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-3129
12 Jan 2021 — Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Ignition versiones anteriores a 2.5.2, como es usado en Laravel y otros productos, permite a atacantes remotos no autenticados ejecutar código arbitrario debido a un uso no seguro de las funciones file_get_contents() y file_put_contents(... • https://packetstorm.news/files/id/165999 •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-13909
https://notcve.org/view.php?id=CVE-2020-13909
07 Jun 2020 — The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix. El componente Ignition anterior a la versión 2.0.5 para Laravel maneja mal los globals, _get, _post, _cookie y _env. NOTA: en la serie 1.x, las versiones 1.16.15 y posteriores no están afectadas como consecuencia de la corrección de CVE-2021-43996. • https://github.com/facade/ignition/compare/2.0.4...2.0.5 •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 5CVE-2009-4426 – Ignition 1.2 - Multiple Local File Inclusions
https://notcve.org/view.php?id=CVE-2009-4426
28 Dec 2009 — Multiple directory traversal vulnerabilities in Ignition 1.2, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the blog parameter to (1) comment.php and (2) view.php. Múltiples vulnerabilidades de salto de directorio en Ignition v1.2, cuando está deshabilitado magic_quotes_gpc, permite a atacantes remotos incluir y ejecutar ficheros de su elección mediante los caracteres .. (punto punto) en el parámetro "blog" en (1) comment.php y (... • https://www.exploit-db.com/exploits/10569 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •