Main Vulnerability Database SB2019030108

SB2019030108 - Unprotected storage of credentials in Carel pCOWeb

Published: March 1, 2019 Updated: October 25, 2019

Security Bulletin ID SB2019030108

CSH Severity

High

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Credentials management (CVE-ID: CVE-2019-9484)

CWE-ID: CWE-255 - Credentials Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to gain access to the target system.

The vulnerability exists due to improper management of credentials in the Glen Dimplex Deutschland GmbH implementation. A remote attacker can scan the ports 10000 or 10001 and obtain access via an HTTP session, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode".

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://medium.com/@SergiuSechel/insecure-permissions-in-glen-dimplex-deutschland-gmbh-implementatio...