An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Designer and Vision Client Session IDs are mishandled. An attacker can determine which session IDs were generated in the past and then hijack sessions assigned to these IDs via Randy.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HInductiveautomation Ignition
APPInductiveautomation< 7.9.208.0.1 – 8.1.17 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2023-39476CRITICAL9.8PL ✓ten sam produkt
Inductive Automation Ignition — RCE przez deserialization w JavaSerializationCodec
CVE-2023-38121CRITICAL9.0PL ✓ten sam produkt
XSS do RCE w Inductive Automation Ignition OPC UA Quick Client
CVE-2023-39475CRITICAL9.8PL ✓ten sam produkt
RCE przez deserializację w Inductive Automation Ignition (ParameterVersionJavaSerializationCodec)
CVE-2022-35869CRITICAL9.8ten sam produkt
This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Aut...
CVE-2023-38122HIGH7.2ten sam produkt
Inductive Automation Ignition OPC UA Quick Client Permissive Cross-domain Policy Remote Code Execution Vulnera...