CVE-2019-11369 - OpenCVE

An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Carel	Pcoweb Card Pcoweb Card Firmware

Configuration 1 [-]

AND

cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*

cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2019/Oct/45
https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb
https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-03T19:48:25

Updated: 2024-08-04T22:48:09.170Z

Reserved: 2019-04-20T00:00:00

Link: CVE-2019-11369

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-03T20:29:00.393

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-11369

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-01T02:06:23", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-11369", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb", "refsource": "MISC", "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"name": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369", "refsource": "MISC", "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.170Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11369", "datePublished": "2019-06-03T19:48:25", "dateReserved": "2019-04-20T00:00:00", "dateUpdated": "2024-08-04T22:48:09.170Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE87B839-78E7-4789-9B5A-7EAB4834337B", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7862F26-B5F2-4DA5-8087-AAD03457344C", "versionEndExcluding": "b1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Carel pCOWeb antes de B1.2.4. En /config/pw_changeusers.html, el dispositivo almacena contrase\u00f1as de texto simple, el cual puede permitir que alguien con acceso al dispositivo lea la informaci\u00f3n confidencial."}], "id": "CVE-2019-11369", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-03T20:29:00.393", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}