Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
AnalysisAI
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2. Affected products include: Facade Ignition. Version information: before 2.5.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Rated critical severity (C
Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0,
An issue was discovered in Inductive Automation Ignition before 7.9.20 and 8.x before 8.1.17. Rated high severity (CVSS
Due to an XML external entity reference, the software parses XML in the backup/restore functionality without XML securit
This vulnerability allows remote attackers to bypass authentication on affected installations of Inductive Automation Ig
The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can l
The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. Rated critical sever
The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline
The affected product may allow an attacker with access to the Ignition web configuration to run arbitrary code. Rated hi
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation I
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation I
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation I
Share
External POC / Exploit Code
Leaving vuln.today