CVE-2019-9484
Published Mar 1, 2019
Last updated a year ago
Overview
- Description
- The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode."
- Source
- cve@mitre.org
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 3.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
Weaknesses
- nvd@nist.gov
- CWE-306
Vendor comments
- Glen Dimplex Deutschland GmbHGlen Dimplex Deutschland GmbH does not deliver the Carel pCOweb card with an open port 10000 or 10001. The shown password ‘1234’ on the webpage is not being used in any current application. It was being used in former times together with a connection via modem, this is not realized anymore. More details to the current application: www.dimplex.de/wiki.
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:carel:pcoweb_card_firmware:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "C8319F37-D9AD-4660-831B-656E52C7DAFC"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "DE87B839-78E7-4789-9B5A-7EAB4834337B"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]