CVE-2023-38121 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2023-38121?

CVE-2023-38121 has a CVSS score of 9.0 (CRITICAL). This is a cross-site scripting (XSS) vulnerability in Inductive Automation Ignition's OPC UA Quick Client web interface that allows remote code execution. Attackers can inject malicious scripts via the id parameter, potentially executing arbitrary code with SYSTEM privileges. Users of affected Ignition installations who access malicious pages or files are at risk.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Inductive Automation Ignition's OPC UA Quick Client web interface that allows remote code execution. Attackers can inject malicious scripts via the id parameter, potentially executing arbitrary code with SYSTEM privileges. Users of affected Ignition installations who access malicious pages or files are at risk.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: Specific versions not publicly disclosed in references, but affected versions exist prior to patched release.

Operating Systems: Windows, Linux, macOS (where Ignition runs)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Ignition with OPC UA Quick Client component enabled and accessible via web interface.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Session hijacking, credential theft, or installation of backdoors on affected Ignition servers.

🟢

If Mitigated

Limited to client-side script execution without SYSTEM privileges if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH - Web interface accessible from internet makes exploitation trivial if vulnerable.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

User interaction required (visiting malicious page), but exploit chain is straightforward once malicious payload is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references, but vendor has released patches.

Vendor Advisory: https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security

Restart Required: Yes

Instructions:

1. Check current Ignition version. 2. Download latest patch from Inductive Automation portal. 3. Apply patch following vendor instructions. 4. Restart Ignition services.

🔧 Temporary Workarounds

Disable OPC UA Quick Client

all

Temporarily disable the vulnerable OPC UA Quick Client component if not required.

Navigate to Ignition Gateway > Config > OPC UA > Quick Client > Disable

Network Segmentation

all

Restrict access to Ignition web interface to trusted networks only.

Configure firewall rules to limit access to Ignition ports (typically 8088, 8043)

🧯 If You Can't Patch

Implement strict input validation and output encoding for all user-supplied parameters in custom scripts.
Deploy web application firewall (WAF) with XSS protection rules in front of Ignition interface.

🔍 How to Verify

Check if Vulnerable:

Check if Ignition version is before patched release and OPC UA Quick Client is enabled.

Check Version:

Check Ignition Gateway status page or About dialog for version information.

Verify Fix Applied:

Verify Ignition version is updated to patched release and test id parameter for script injection.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in id parameter logs
Multiple failed script injection attempts

Network Indicators:

HTTP requests with suspicious script payloads in id parameter
Unusual outbound connections from Ignition server

SIEM Query:

source="ignition" AND (id CONTAINS "<script>" OR id CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2023-38121

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: May 3, 2024

Last Updated: March 12, 2025

🔗 References

https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1012/ Third Party Advisory
https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-1012/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38121, you might also want to check these: