Remote Code Execution Vulnerability in Inductive Automation Ignition's Base64Element
CVE-2023-50220

8.8HIGH

Key Information:

Vendor: Inductive Automation
Status: Ignition
Vendor: CVE Published:; 3 May 2024

🔔 Create Inductive Automation Vulnerability Alert

What is CVE-2023-50220?

A vulnerability exists in the Base64Element class of Inductive Automation Ignition that allows remote attackers to execute arbitrary code by sending specially crafted user-supplied data. The vulnerability arises from insufficient validation, enabling deserialization of untrusted data. Exploiting this flaw requires authentication, allowing an attacker to potentially execute code with system-level privileges, which could lead to severe security breaches.

References

https://www.zerodayinitiative.com/advisories/ZDI-24-015/

https://security.inductiveautomation.com/?tcuUid=fc4c4515...

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 3, 2024

JSON