CVSS: 9.0EPSS: 49%CPEs: 1EXPL: 0CVE-2023-50223 – Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-50223
05 Jan 2024 — Inductive Automation Ignition ExtendedDocumentCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the ExtendedDocumentCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-693337449c5b • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-1704 – Inductive Automation Ignition
https://notcve.org/view.php?id=CVE-2022-1704
05 Aug 2022 — Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. Debido a una vulnerabilidad de tipo XML external entity, el software analiza XML en la funcionalidad backup/restore sin banderas de seguridad XML, lo que puede conllevar a un ataque de tipo XXE al restaurar la copia de seguridad • https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-01 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.3EPSS: 3%CPEs: 2EXPL: 1CVE-2022-36126
https://notcve.org/view.php?id=CVE-2022-36126
16 Jul 2022 — An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. La función ScriptInvoke permite a atacantes remotos ejecutar código arbitrario mediante el suministro de un script de Python • https://github.com/sourceincite/randy • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 1%CPEs: 2EXPL: 1CVE-2022-35890
https://notcve.org/view.php?id=CVE-2022-35890
15 Jul 2022 — An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. Los identificadores de sesión de los clientes Designer y Vision son manejados de forma inapropiada. • https://github.com/sourceincite/randy • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1706 – ignition: configs are accessible from unprivileged containers in VMs running on VMware products
https://notcve.org/view.php?id=CVE-2022-1706
17 May 2022 — A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config. Se ha encontrado una vulnerabilidad en Ignition en la que las configuraciones de encendido son accesibles desde contenedores no privilegiados ... • https://bugzilla.redhat.com/show_bug.cgi?id=2082274 • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14479 – ICSA-20-147-01 Inductive Automation Ignition (Update B)
https://notcve.org/view.php?id=CVE-2020-14479
01 Apr 2022 — Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server Puede obtenerse información confidencial mediante el manejo de datos serializados. El problema es debido a una falta de autenticación apropiada requerida para consultar el servidor • https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43996
https://notcve.org/view.php?id=CVE-2021-43996
17 Nov 2021 — The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control. El componente Ignition versiones anteriores a 1.16.15, y versiones 2.0.x anteriores a 2.0.6, para Laravel presenta una función "fix variable names" que puede conllevar un control de acceso incorrecto. • https://github.com/facade/ignition/compare/1.16.14...1.16.15 •
CVSS: 5.3EPSS: 16%CPEs: 20EXPL: 1CVE-2021-24219 – All Thrive Themes and Plugins - Unauthenticated Option Update
https://notcve.org/view.php?id=CVE-2021-24219
12 Apr 2021 — The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5,... • https://wpscan.com/vulnerability/35acd2d8-85fc-4af5-8f6c-224fa7d92900 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 9.1EPSS: 63%CPEs: 10EXPL: 1CVE-2021-24220 – All Thrive Themes Legacy Themes < 2.0.0 - Unauthenticated Arbitrary File Upload and Option Deletion
https://notcve.org/view.php?id=CVE-2021-24220
24 Mar 2021 — Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Squared by Thrive Themes WordPress theme before 2.0.0, Voice WordPress theme before 2.0.0, Performag by Thrive Themes WordPress theme before 2.0.0, Pressive by Thrive Themes WordPress theme before 2.0.0, Storied by Thrive Them... • https://wpscan.com/vulnerability/a2424354-2639-4f53-a24f-afc11f6c4cac • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 94%CPEs: 2EXPL: 37CVE-2021-3129 – Laravel Ignition File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2021-3129
12 Jan 2021 — Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Ignition versiones anteriores a 2.5.2, como es usado en Laravel y otros productos, permite a atacantes remotos no autenticados ejecutar código arbitrario debido a un uso no seguro de las funciones file_get_contents() y file_put_contents(... • https://packetstorm.news/files/id/165999 •