CVE-2019-11369 - Vulnerability Details - OpenCVE

An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.08106.

Key SSVC decision points have not yet been added.

Vendors	Products
Carel	Pcoweb Card Pcoweb Card Firmware

Configuration 1 [-]

AND

cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2019-3047	An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2019/Oct/45
https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb
https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-03T19:48:25

Updated: 2024-08-04T22:48:09.170Z

Reserved: 2019-04-20T00:00:00

Link: CVE-2019-11369

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-06-03T20:29:00.393

Modified: 2024-11-21T04:20:58.087

Link: CVE-2019-11369

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-01T02:06:23", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-11369", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb", "refsource": "MISC", "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"name": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369", "refsource": "MISC", "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:09.170Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"name": "20191031 [RT-SA-2019-013] Unsafe Storage of Credentials in Carel pCOWeb HVAC", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11369", "datePublished": "2019-06-03T19:48:25", "dateReserved": "2019-04-20T00:00:00", "dateUpdated": "2024-08-04T22:48:09.170Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:carel:pcoweb_card_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7862F26-B5F2-4DA5-8087-AAD03457344C", "versionEndExcluding": "b1.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:carel:pcoweb_card:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE87B839-78E7-4789-9B5A-7EAB4834337B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Carel pCOWeb prior to B1.2.4. In /config/pw_changeusers.html the device stores cleartext passwords, which may allow sensitive information to be read by someone with access to the device."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Carel pCOWeb antes de B1.2.4. En /config/pw_changeusers.html, el dispositivo almacena contrase\u00f1as de texto simple, el cual puede permitir que alguien con acceso al dispositivo lea la informaci\u00f3n confidencial."}], "id": "CVE-2019-11369", "lastModified": "2024-11-21T04:20:58.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-03T20:29:00.393", "references": [{"source": "cve@mitre.org", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2019/Oct/45"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/open?id=12Sq6oaxe1mC1y71Emo1YladjDjwTdNfb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11369"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}