CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39472 – Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2023-39472
Inductive Automation Ignition SimpleXMLReader XML External Entity Processing Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the SimpleXMLReader class. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the SYSTEM. . • https://www.zerodayinitiative.com/advisories/ZDI-23-1048 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39475 – Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-39475
Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://www.zerodayinitiative.com/advisories/ZDI-23-1047 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39477 – Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-39477
Inductive Automation Ignition ConditionRefresh Resource Exhaustion Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://inductiveautomation.com/downloads/releasenotes/8.1.33 https://www.zerodayinitiative.com/advisories/ZDI-23-1050 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38122 – Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38122
Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. • https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security https://www.zerodayinitiative.com/advisories/ZDI-23-1013 • CWE-942: Permissive Cross-domain Policy with Untrusted Domains •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38121 – Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-38121
Inductive Automation Ignition OPC UA Quick Client Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the id parameter provided to the Inductive Automation Ignition web interface. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. • https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security https://www.zerodayinitiative.com/advisories/ZDI-23-1012 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •