Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Inductiveautomation Subscribe
Total 21 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-12000 1 Inductiveautomation 1 Ignition Gateway 2023-03-02 5.0 MEDIUM 7.5 HIGH
The affected product is vulnerable to the handling of serialized data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
CVE-2022-1704 1 Inductiveautomation 1 Ignition 2022-08-11 N/A 9.8 CRITICAL
Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML security flags, which may lead to a XXE attack while restoring the backup.
CVE-2022-35869 1 Inductiveautomation 1 Ignition 2022-08-03 N/A 9.8 CRITICAL
This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within com.inductiveautomation.ignition.gateway.web.pages. The issue results from the lack of proper authentication prior to access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-17211.
CVE-2022-35870 1 Inductiveautomation 1 Ignition 2022-08-03 N/A 7.8 HIGH
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17265.
CVE-2022-35871 1 Inductiveautomation 1 Ignition 2022-08-03 N/A 7.8 HIGH
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Authentication is not required to exploit this vulnerability. The specific flaw exists within the authenticateAdSso method. The issue results from the lack of authentication prior to allowing the execution of python code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17206.
CVE-2022-35872 1 Inductiveautomation 1 Ignition 2022-08-03 N/A 7.8 HIGH
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115.
CVE-2022-35873 1 Inductiveautomation 1 Ignition 2022-08-03 N/A 7.8 HIGH
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of ZIP files. Crafted data in a ZIP file can cause the application to execute arbitrary Python scripts. The user interface fails to provide sufficient indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16949.
CVE-2022-1264 1 Inductiveautomation 1 Ignition 2022-07-27 N/A 8.8 HIGH
The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code.
CVE-2022-36126 1 Inductiveautomation 1 Ignition 2022-07-22 N/A 7.2 HIGH
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. The ScriptInvoke function allows remote attackers to execute arbitrary code by supplying a Python script.
CVE-2022-35890 1 Inductiveautomation 1 Ignition 2022-07-21 N/A 9.8 CRITICAL
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
CVE-2020-14479 1 Inductiveautomation 1 Ignition 2022-04-08 5.0 MEDIUM 5.3 MEDIUM
Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server
CVE-2020-10641 1 Inductiveautomation 1 Ignition Gateway 2021-12-20 5.0 MEDIUM 7.5 HIGH
An unprotected logging route may allow an attacker to write endless log statements into the database without space limits or authentication. This results in consuming the entire available hard-disk space on the Ignition 8 Gateway (versions prior to 8.0.10), causing a denial-of-service condition.
CVE-2020-14520 1 Inductiveautomation 1 Ignition Gateway 2020-08-11 5.0 MEDIUM 7.5 HIGH
The affected product is vulnerable to an information leak, which may allow an attacker to obtain sensitive information on the Ignition 8 (all versions prior to 8.0.13).
CVE-2020-12004 1 Inductiveautomation 1 Ignition Gateway 2020-06-25 5.0 MEDIUM 7.5 HIGH
The affected product lacks proper authentication required to query the server on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
CVE-2020-10644 1 Inductiveautomation 1 Ignition Gateway 2020-06-25 5.0 MEDIUM 7.5 HIGH
The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data on the Ignition 8 Gateway (versions prior to 8.0.10) and Ignition 7 Gateway (versions prior to 7.9.14), allowing an attacker to obtain sensitive information.
CVE-2015-0994 1 Inductiveautomation 1 Ignition 2015-04-03 4.0 MEDIUM N/A
Inductive Automation Ignition 7.7.2 allows remote authenticated users to bypass a brute-force protection mechanism by using different session ID values in a series of HTTP requests.
CVE-2015-0995 1 Inductiveautomation 1 Ignition 2015-04-03 5.0 MEDIUM N/A
Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-dependent attackers to obtain access via a brute-force attack.
CVE-2015-0993 1 Inductiveautomation 1 Ignition 2015-04-03 6.4 MEDIUM N/A
Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.
CVE-2015-0992 1 Inductiveautomation 1 Ignition 2015-04-03 2.1 LOW N/A
Inductive Automation Ignition 7.7.2 stores cleartext OPC Server credentials, which allows local users to obtain sensitive information via unspecified vectors.
CVE-2015-0991 1 Inductiveautomation 1 Ignition 2015-04-03 5.0 MEDIUM N/A
Inductive Automation Ignition 7.7.2 allows remote attackers to obtain sensitive information by reading an error message about an unhandled exception, as demonstrated by pathname information.