GCVE - cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:*

part: o version: * update: *

Vendor	Carel (`6bd52e11-361f-576d-b221-3e469990bee5`)
Product	Pcoweb Card Firmware (`bf804f19-549a-57cc-a8b6-6334509cd770`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2022-37122`	vulnerable	2026-06-08 05:46:08.649373	Details available Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Published: 2022-08-31T15:47:57.000Z Updated: 2024-08-03T10:21:33.235Z Open on db.gcve.eu Reference links https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php https://www.zeroscience.mk/codes/carelpco_dir.txt https://packetstormsecurity.com/files/167684/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11370`	vulnerable	2026-06-08 05:12:37.084854	Details available Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field. Published: 2019-06-03T19:44:10.000Z Updated: 2024-08-04T22:48:09.145Z Open on db.gcve.eu Reference links https://drive.google.com/open?id=1WkmtsCVNCtxwWH2fe9DtHow_Nedp1a7j https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11370	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11369`	vulnerable	2026-06-08 05:12:37.083469	Details available An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device. Published: 2019-06-03T19:48:25.000Z Updated: 2024-08-04T22:48:09.170Z Open on db.gcve.eu Reference links https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369 http://seclists.org/fulldisclosure/2019/Oct/45	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.