This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.
The remote host is affected by multiple vulnerabilities.
The version of Induction Automation Ignition listening on the remote
host is affected by multiple vulnerabilities :
- A cross-site scripting vulnerability exists in Java Web
Start when adding any symbols to web requests for
starting Java applets. A remote attacker can exploit
this to inject malicious input and include JNLP files.
- An information disclosure vulnerability exists due to
error messages generated by unhandled exceptions.
- OPC server credentials may be insecurely stored in plain
- Sessions are not properly terminated by the web
interface after logout, allowing a remote attacker to
reuse the session to gain unauthorized access.
- Resetting the session ID parameter using an HTTP request
allows an attacker to bypass prevention mechanisms for
brute force login attacks. (CVE-2015-0994)
- A weak hashing algorithm (MD5) is used for storing
password information in the authentication database,
thus allowing easier brute-force attacks to gain
See also :
Upgrade to Ignition 7.5.14 / 7.7.4.
Risk factor :
Medium / CVSS Base Score : 6.4
Nessus Plugin ID: 83952 ()
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now