CVE-2023-38122 — Permissive Cross-domain Security Policy with Untrusted Domains in Ignition

CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.6%

top 31.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Inductiveautomation Ignition Inductive Automation Ignition

Timeline

PublishedMay 3

Description

Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Securi…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDinductiveautomation/ignition< 8.1.26

▶CVEListV5inductive_automation/ignition8.1.24

🔴Vulnerability Details

CVEList

Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability↗2024-05-03

▶

GHSA

GHSA-2rcm-9pw5-qh2h: Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnerability↗2024-05-03

▶