GCVE - cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*

part: h version: - update: *

Vendor	Carel (`6bd52e11-361f-576d-b221-3e469990bee5`)
Product	Pcoweb Card (`8d072e92-ed2c-5f1f-a257-302e4fbe8f10`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2022-37122`	not_vulnerable	2026-06-08 05:46:08.650431	Details available Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Published: 2022-08-31T15:47:57.000Z Updated: 2024-08-03T10:21:33.235Z Open on db.gcve.eu Reference links https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php https://www.zeroscience.mk/codes/carelpco_dir.txt https://packetstormsecurity.com/files/167684/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-9484`	not_vulnerable	2026-06-08 05:14:25.310562	Details available The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode." Published: 2019-03-01T06:00:00.000Z Updated: 2024-08-04T21:54:44.032Z Open on db.gcve.eu Reference links https://medium.com/%40SergiuSechel/insecure-permissions-in-glen-dimplex-deutschland-gmbh-implementation-of-carel-pcoweb-configuration-ca3896f24835	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11370`	not_vulnerable	2026-06-08 05:12:37.084881	Details available Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field. Published: 2019-06-03T19:44:10.000Z Updated: 2024-08-04T22:48:09.145Z Open on db.gcve.eu Reference links https://drive.google.com/open?id=1WkmtsCVNCtxwWH2fe9DtHow_Nedp1a7j https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11370	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2019-11369`	not_vulnerable	2026-06-08 05:12:37.084362	Details available An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device. Published: 2019-06-03T19:48:25.000Z Updated: 2024-08-04T22:48:09.170Z Open on db.gcve.eu Reference links https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369 http://seclists.org/fulldisclosure/2019/Oct/45	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.