CVSS: 8.3EPSS: 1%CPEs: 1EXPL: 0CVE-2023-39474 – Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-39474
08 Aug 2023 — Inductive Automation Ignition downloadLaunchClientJar Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. User interaction is required to exploit this vulnerability in that the target must connect to a malicious server. The specific flaw exists within the downloadLaunchClientJar function. The issue results from the lack of validating a remote JAR file prior to loading it. • https://www.zerodayinitiative.com/advisories/ZDI-23-1049 • CWE-494: Download of Code Without Integrity Check •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-1704 – Inductive Automation Ignition
https://notcve.org/view.php?id=CVE-2022-1704
05 Aug 2022 — Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. Debido a una vulnerabilidad de tipo XML external entity, el software analiza XML en la funcionalidad backup/restore sin banderas de seguridad XML, lo que puede conllevar a un ataque de tipo XXE al restaurar la copia de seguridad • https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1264 – Inductive Automation Ignition
https://notcve.org/view.php?id=CVE-2022-1264
20 Jul 2022 — The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code. El producto afectado puede permitir a un atacante con acceso a la configuración web de Ignition ejecutar código arbitrario • https://www.cisa.gov/uscert/ics/advisories/icsa-22-102-03 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 3%CPEs: 2EXPL: 1CVE-2022-36126
https://notcve.org/view.php?id=CVE-2022-36126
16 Jul 2022 — An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. La función ScriptInvoke permite a atacantes remotos ejecutar código arbitrario mediante el suministro de un script de Python • https://github.com/sourceincite/randy • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 1CVE-2022-35890
https://notcve.org/view.php?id=CVE-2022-35890
15 Jul 2022 — An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. Los identificadores de sesión de los clientes Designer y Vision son manejados de forma inapropiada. • https://github.com/sourceincite/randy • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2022-35869 – Inductive Automation Ignition Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2022-35869
15 Jul 2022 — This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within com.inductiveautomation.ignition.gateway.web.pages. The issue results from the lack of proper authentication prior to access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. • https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 8.8EPSS: 19%CPEs: 1EXPL: 0CVE-2022-35870 – Inductive Automation Ignition Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-35870
15 Jul 2022 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerabili... • https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35872 – Inductive Automation Ignition Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-35872
15 Jul 2022 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerabili... • https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35873 – Inductive Automation Ignition ZIP File Insufficient UI Warning Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-35873
15 Jul 2022 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of ZIP files. Crafted data in a ZIP file can cause the application to execute arbitrary Python scripts. The user interface fails to provide sufficient indication of the hazard. • https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities • CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 8.1EPSS: 42%CPEs: 1EXPL: 0CVE-2022-35871 – Inductive Automation Ignition Missing Authentication for Critical Function Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-35871
15 Jul 2022 — This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within the authenticateAdSso method. The issue results from the lack of authentication prior to allowing the execution of python code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities • CWE-306: Missing Authentication for Critical Function •