CVE-2019-9484

Published: Mar 1, 2019Modified: Jun 17, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode."

Affected (1)

Products: Carel: Pcoweb Card Firmware

1 product

Pcoweb Card Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Carel Pcoweb Card Firmware	All versions

Running on/with	Platform Versions
Carel Pcoweb Card	All versions

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (2)

https://medium.com/%40SergiuSechel/insecure-permissions-in-glen-dimplex-deutschland-gmbh-implementation-of-carel-pcoweb-configuration-ca3896f24835

Source: cve@mitre.org

https://medium.com/%40SergiuSechel/insecure-permissions-in-glen-dimplex-deutschland-gmbh-implementation-of-carel-pcoweb-configuration-ca3896f24835

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.