35 matches found
CVE-2015-0992
CVE-2015-0992 affects Inductive Automation Ignition 7.7.2, where OPC Server credentials are stored in plaintext in the settings file, enabling local users to obtain sensitive information via unspecified vectors. The connected documents corroborate plaintext storage of credentials as the root caus...
CVE-2022-35890
Inductive Automation Ignition is vulnerable to CVE-2022-35890 due to mishandled session IDs in the Designer and Vision Client. An attacker can determine past-generated session IDs and hijack sessions assigned to those IDs via Randy. Affected versions are Ignition before 7.9.20 and 8.x before 8.1....
CVE-2022-35871
Inductive Automation Ignition 8.1.15 (b2022030114) is affected by CVE-2022-35871. The flaw is in the authenticateAdSso method, where lack of authentication allows executing Python code, potentially running as SYSTEM. This is a remote-exploitable issue without required authentication. Connected so...
CVE-2022-35870
CVE-2022-35870 affects Inductive Automation Ignition 8.1.15 (b2022030114). The flaw is deserialization of untrusted data in com.inductiveautomation.metro.impl that can be exploited to execute code with SYSTEM privileges, bypassing authentication. Public disclosures reference ZDI-2022-1017; Red Ha...
CVE-2022-35869
This CVE affects Inductive Automation Ignition 8.1.15 (b2022030114). The vulnerability is an authentication bypass in the gateway.web.pages component (com.inductiveautomation.ignition.gateway.web.pages) caused by lack of proper authentication prior to access to functionality. An attacker can remo...
CVE-2023-39472
CVE-2023-39472 — Inductive Automation Ignition is affected through the SimpleXMLReader’s XML External Entity (XXE) handling, where a crafted XML can trigger the parser to fetch a URI and embed its contents, enabling information disclosure in the SYSTEM context. Exploitation requires authenticatio...
CVE-2022-35873
CVE-2022-35873 affects Inductive Automation Ignition 8.1.15 (b2022030114). The vulnerability arises in ZIP file processing; crafted ZIP data can cause the application to execute arbitrary Python scripts, with code execution in the SYSTEM context. Exploitation requires user interaction (victim mus...
CVE-2022-36126
CVE-2022-36126 affects Inductive Automation Ignition prior to 7.9.20 and 8.x prior to 8.1.17. The issue is in the ScriptInvoke function, which allows remote attackers to execute arbitrary Python code by supplying a script, leading to remote code execution with high impact on confidentiality, inte...
CVE-2022-1704
CVE-2022-1704 affects Inductive Automation Ignition. The issue arises from parsing XML in the backup/restore functionality without XML security flags, enabling a potential XML External Entity (XXE) attack. Affected products/versions include: Ignition 8.1.x up to before 8.1.8, and Ignition 7.9.x b...
CVE-2023-50218
CVE-2023-50218 affects Inductive Automation Ignition, specifically the ModuleInvoke class, where unvalidated user-supplied data can be deserialized, enabling remote code execution with SYSTEM privileges. The vulnerability is network-accessible (attack vector: NETWORK) with low initial access requ...
CVE-2023-38121
CVE-2023-38121 affects Inductive Automation Ignition (OPC UA Quick Client). The vulnerability stems from improper validation of the id parameter in the web interface, enabling cross-site scripting that can lead to remote code execution with SYSTEM privileges. Exploitation requires user interactio...
CVE-2023-50220
This CVE (CVE-2023-50220) affects Inductive Automation Ignition, specifically the Base64Element class. The issue is a deserialization flaw where untrusted data can be deserialized due to insufficient validation, enabling remote code execution. Exploitation context: attacker-controlled input can r...
CVE-2023-50221
CVE-2023-50221 affects Inductive Automation Ignition: the deserialization flaw in the ResponseParser’s SerializedResponse allows remote code execution. The issue stems from insufficient validation of untrusted data, enabling code execution in the attacker’s context after a target connects to a ma...
CVE-2023-39473
The CVE-2023-39473 entry concerns Inductive Automation Ignition's AbstractGatewayFunction deserialization vulnerability. The flaw stems from insufficient validation of user-supplied data, enabling deserialization of untrusted input and remote code execution. Exploitation requires authentication a...
CVE-2023-50232
CVE-2023-50232 exposes a remote code execution in Inductive Automation Ignition via a getParams argument injection. The flaw stems from insufficient validation of a user-supplied string used to form a system-call argument, allowing code execution in the context of the current user. Exploitation r...
CVE-2023-50233
CVE-2023-50233 concerns Inductive Automation Ignition, specifically the getJavaExecutable directory traversal vulnerability. The flaw stems from inadequate validation of a user-supplied path before performing file operations, enabling an attacker to execute arbitrary code in the context of the cu...
CVE-2023-38122
CVE-2023-38122 affects Inductive Automation Ignition OPC UA Quick Client. The flaw is in the web server configuration, arising from missing Content Security Policy headers, enabling a cross-domain policy that can lead to remote code execution. Authentication is required to exploit, but the authen...
CVE-2023-50222
CVE-2023-50222 concerns Inductive Automation Ignition’s ResponseParser Notification: deserialization of untrusted data enables remote code execution. The flaw stems from insufficient validation of user-supplied data in the ResponseParser method, allowing an attacker to execute code in the context...
CVE-2022-35872
CVE-2022-35872 affects Inductive Automation Ignition 8.1.15 (b2022030114). The issue is in the ZIP file parsing logic where untrusted data is deserialized due to inadequate validation, enabling remote code execution with SYSTEM privileges. Exploitation requires user interaction (target visits a m...
CVE-2023-38123
Inductive Automation Ignition OPC UA Quick Client contains an authentication bypass in the server configuration that controls access to password-change functionality. The vulnerability allows remote attackers to bypass authentication after the user visits a malicious page or opens a malicious fil...
CVE-2023-50219
CVE-2023-50219 affects Inductive Automation Ignition, specifically the RunQuery deserialization pathway. The flaw permits deserialization of untrusted data due to inadequate validation in the RunQuery class, enabling remote code execution with SYSTEM privileges. Authentication is required to expl...
CVE-2023-38124
CVE-2023-38124 affects Inductive Automation Ignition Gateway/OPC UA Quick Client Task Scheduling. The flaw stems from exposing a dangerous function in the Ignition Gateway server, allowing remote attackers to execute code with SYSTEM privileges after authenticating. Documents consistently describ...
CVE-2023-50223
Inductive Automation Ignition is affected. The ExtendedDocumentCodec deserialization flaw stems from inadequate validation of untrusted input, enabling remote code execution with SYSTEM privileges. Authentication is required to exploit. No explicit patch/version details are provided here; refer t...
CVE-2023-39477
This CVE (CVE-2023-39477) affects Inductive Automation Ignition. The flaw lies in how OPC UA ConditionRefresh requests are handled, allowing an unauthenticated attacker to generate a denial-of-service condition by sending a large volume of requests, potentially exhausting server resources. The vu...
CVE-2023-39476
CVE-2023-39476 affects Inductive Automation Ignition via the JavaSerializationCodec deserialization of untrusted data. The flaw is that user-supplied data is not properly validated, enabling an attacker to deserialize untrusted data and execute code in the context of SYSTEM. Exploitation requires...
CVE-2015-0976
CVE-2015-0976 is an XSS vulnerability in Inductive Automation Ignition 7.7.2. The issue stems from improper neutralization of input in web page generation, with the server reflecting HTTP request data back in the HTTP response, enabling remote attackers to inject arbitrary script. Several connect...
CVE-2015-0994
In Inductive Automation Ignition, CVE-2015-0994 impacts Ignition 7.7.2, where remote authenticated users can bypass the built-in brute-force protection by manipulating session ID values across a sequence of HTTP requests. The underlying issue involves session handling and credentials management t...
CVE-2015-0995
Summary: CVE-2015-0995 affects Inductive Automation Ignition 7.7.2, which uses MD5 password hashes. The root cause is the use of MD5 for storing passwords, enabling context-dependent attackers to gain access via brute-forcing. The vulnerability is described as exploitable remotely in several sour...
CVE-2023-39475
CVE-2023-39475 affects Inductive Automation Ignition through the ParameterVersionJavaSerializationCodec deserialization of untrusted data. The root cause is lack of validation of user-supplied data in this class, allowing a remote attacker to execute arbitrary code in the context of SYSTEM withou...
CVE-2015-0993
Inductive Automation Ignition 7.7.2 is affected by CVE-2015-0993, where sessions are not terminated on logout, allowing a remote attacker to bypass access controls via an unattended workstation. Connected sources confirm Ignition is vulnerable in 7.7.x (notably
CVE-2023-39474
CVE-2023-39474 (Inductive Automation Ignition) affects the Ignition platform, specifically the downloadLaunchClientJar function. The flaw is due to loading a remote JAR without validating it, enabling a remote attacker to execute arbitrary code in the context of the current user. Exploitation req...
CVE-2015-0991
CVE-2015-0991 affects Inductive Automation Ignition 7.7.2. The vulnerability is an information disclosure where remote attackers can obtain sensitive data by reading an error message about an unhandled exception, potentially revealing pathname information. The NVD entry lists a CVSS v2 base score...
CVE-2020-14479
CVE-2020-14479 affects Inductive Automation Ignition (Gateway) with a vulnerability described as missing authentication for a critical function, leading to information disclosure via serialized data handling. Affected products include Ignition Gateway versions prior to 7.9.14 (7.x line) and prior...
CVE-2022-1264
Path traversal vulnerability CVE-2022-1264 affects Inductive Automation Ignition. An attacker with network access to the Ignition web configuration could run arbitrary code. Affected products: Ignition all 8.0 versions after 8.0.4, and all 8.1 versions prior to 8.1.10. MITIGATIONS: upgrade to Ign...
CVE-2025-13913
The CVE-2025-13913 entry concerns Inductive Automation Ignition software deserialization of untrusted data. A privileged Ignition user importing a specially crafted external file can trigger execution of embedded malicious code, due to deserialization of the crafted payload in the imported file. ...