An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
oryginał ENCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HInductiveautomation Ignition
APPInductiveautomation< 7.9.208.0.1 – 8.1.17 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Powiązane podatności
CVE-2023-39476CRITICAL9.8PL ✓ten sam produkt
Inductive Automation Ignition — RCE przez deserialization w JavaSerializationCodec
CVE-2023-38121CRITICAL9.0PL ✓ten sam produkt
XSS do RCE w Inductive Automation Ignition OPC UA Quick Client
CVE-2023-39475CRITICAL9.8PL ✓ten sam produkt
RCE przez deserializację w Inductive Automation Ignition (ParameterVersionJavaSerializationCodec)
CVE-2022-35869CRITICAL9.8ten sam produkt
This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Aut...
CVE-2023-38122HIGH7.2ten sam produkt
Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnera...