Inductive Automation Ignition Multiple Vulnerabilities

The version of Inductive Automation Ignition listening on the remote host is affected by multiple vulnerabilities :

• A cross-site scripting vulnerability exists in Java Web Start when adding any symbols to web requests for starting Java applets. A remote attacker can exploit this to inject malicious input and include JNLP files.
  (CVE-2015-0976)

• An information disclosure vulnerability exists due to error messages generated by unhandled exceptions.
  (CVE-2015-0991)

• OPC server credentials may be insecurely stored in plain text. (CVE-2015-0992)

• Sessions are not properly terminated by the web interface after logout, allowing a remote attacker to reuse the session to gain unauthorized access.
  (CVE-2015-0993)

• Resetting the session ID parameter using an HTTP request allows an attacker to bypass prevention mechanisms for brute force login attacks. (CVE-2015-0994)

• A weak hashing algorithm (MD5) is used for storing password information in the authentication database, thus allowing easier brute-force attacks to gain access. (CVE-2015-0995)