HIGH🇵🇱 Wersja polska

CVE-2022-37122

CVSS 7.5v3.1pub. 2022-08-31upd. 2024-11-21

Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Carel Applica

    APP
    Carel
    16_130202002.154a
  • Carel Pcoweb Card

    HW
    Carel
    wszystkie wersje
  • Carel Pcoweb Card Firmware

    OS
    Carel
    a2.1.0 – b.2.1.0
  • Carel Pcoweb Hvac Bacnet Gateway

    APP
    Carel
    2.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2019-11369HIGH8.8ten sam produkt

An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores clea...

CVE-2019-9484HIGH7.5ten sam produkt

The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attacker...

CVE-2019-11370MEDIUM5.4ten sam produkt

Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System ...

CVE-2022-34827CRITICAL9.9ten sam vendor

Carel Boss Mini 1.5.0 has Improper Access Control.

CVE-2019-13553CRITICAL9.8ten sam vendor

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentic...