Inductiveautomation Ignition vulnerabilities

CVE-2022-35871 [HIGH] CWE-306 CVE-2022-35871: This vulnerability allows remote attackers to execute arbitrary code on affected installations of In This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within the authenticateAdSso method. The issue results from the lack of authentication prior to allowing the executi

CVE-2022-35870 [HIGH] CWE-502 CVE-2022-35870: This vulnerability allows remote attackers to execute arbitrary code on affected installations of In This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue res

CVE-2022-35872 [HIGH] CWE-502 CVE-2022-35872: This vulnerability allows remote attackers to execute arbitrary code on affected installations of In This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue res

CVE-2022-35873 [HIGH] CWE-356 CVE-2022-35873: This vulnerability allows remote attackers to execute arbitrary code on affected installations of In This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of ZIP files. Crafted da

CVE-2022-1264 [HIGH] CWE-22 CVE-2022-1264: The affected product may allow an attacker with access to the Ignition web configuration to run arbi The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code.

CVE-2022-36126 [HIGH] CWE-863 CVE-2022-36126: An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The Sc An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script.

CVE-2022-35890 [CRITICAL] CWE-863 CVE-2022-35890: An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Design An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.

CVE-2022-1706 [MEDIUM] CVE-2022-1706: A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround

CVE-2020-14479 [MEDIUM] CWE-306 CVE-2020-14479: Sensitive information can be obtained through the handling of serialized data. The issue results fro Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server

CVE-2015-0991 [MEDIUM] CWE-200 CVE-2015-0991: Inductive Automation Ignition 7.7.2 allows remote attackers to obtain sensitive information by readi Inductive Automation Ignition 7.7.2 allows remote attackers to obtain sensitive information by reading an error message about an unhandled exception, as demonstrated by pathname information.

CVE-2015-0995 [MEDIUM] CWE-255 CVE-2015-0995: Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-depe Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-dependent attackers to obtain access via a brute-force attack.

CVE-2015-0976 [MEDIUM] CWE-79 CVE-2015-0976: Cross-site scripting (XSS) vulnerability in Inductive Automation Ignition 7.7.2 allows remote attack Cross-site scripting (XSS) vulnerability in Inductive Automation Ignition 7.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2015-0994 [MEDIUM] CWE-254 CVE-2015-0994: Inductive Automation Ignition 7.7.2 allows remote authenticated users to bypass a brute-force protec Inductive Automation Ignition 7.7.2 allows remote authenticated users to bypass a brute-force protection mechanism by using different session ID values in a series of HTTP requests.

CVE-2015-0993 [MEDIUM] CWE-254 CVE-2015-0993: Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

CVE-2015-0992 [LOW] CWE-200 CVE-2015-0992: Inductive Automation Ignition 7.7.2 stores cleartext OPC Server credentials, which allows local user Inductive Automation Ignition 7.7.2 stores cleartext OPC Server credentials, which allows local users to obtain sensitive information via unspecified vectors.