10 results (0.026 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup. Debido a una vulnerabilidad de tipo XML external entity, el software analiza XML en la funcionalidad backup/restore sin banderas de seguridad XML, lo que puede conllevar a un ataque de tipo XXE al restaurar la copia de seguridad • https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-01 • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 7.2EPSS: 2%CPEs: 2EXPL: 1

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. La función ScriptInvoke permite a atacantes remotos ejecutar código arbitrario mediante el suministro de un script de Python • https://github.com/sourceincite/randy https://srcincite.io/advisories/src-2022-0014 https://support.inductiveautomation.com/hc/en-us/articles/7625759776653 • CWE-863: Incorrect Authorization •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1

An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy. Se ha detectado un problema en Inductive Automation Ignition versiones anteriores a 7.9.20 y versiones 8.x anteriores a 8.1.17. Los identificadores de sesión de los clientes Designer y Vision son manejados de forma inapropiada. • https://github.com/sourceincite/randy https://support.inductiveautomation.com/hc/en-us/articles/7625759776653 • CWE-863: Incorrect Authorization •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server Puede obtenerse información confidencial mediante el manejo de datos serializados. El problema es debido a una falta de autenticación apropiada requerida para consultar el servidor • https://www.cisa.gov/uscert/ics/advisories/icsa-20-147-01 • CWE-306: Missing Authentication for Critical Function •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0

Inductive Automation Ignition 7.7.2 allows remote authenticated users to bypass a brute-force protection mechanism by using different session ID values in a series of HTTP requests. Inductive Automation Ignition 7.7.2 permite a usuarios remotos autenticados evadir un mecanismo de protección de fuerza bruta mediante el uso de valores de identificadores de sesión diferentes en una serie de solicitudes HTTP. • https://ics-cert.us-cert.gov/advisories/ICSA-15-090-01 • CWE-254: 7PK - Security Features •