CVE-2019-13549

Published: Oct 25, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Rittal Chiller SK 3232-Series web interface as built upon Carel pCOWeb firmware A1.5.3 – B1.2.4. The authentication mechanism on affected systems does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication.

Affected (1)

Products: Carel: Pcoweb Firmware

1 product

Pcoweb Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Carel Pcoweb Firmware	From a1.5.3 to b1.2.4

Running on/with	Platform Versions
Rittal Chiller Sk 3232	All versions

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (4)

http://seclists.org/fulldisclosure/2019/Oct/46

Source: ics-cert@hq.dhs.gov

https://www.us-cert.gov/ics/advisories/icsa-19-297-01

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

http://seclists.org/fulldisclosure/2019/Oct/46

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.us-cert.gov/ics/advisories/icsa-19-297-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.