Vulnerability Description
Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Carel | Pcoweb Card Firmware | >= a2.1.0, <= b.2.1.0 |
| Carel | Pcoweb Card | - |
| Carel | Applica | 2.154a |
| Carel | Pcoweb Hvac Bacnet Gateway | 2.1.0 |
Related Weaknesses (CWE)
References
- https://packetstormsecurity.com/files/167684/ExploitThird Party AdvisoryVDB Entry
- https://www.zeroscience.mk/codes/carelpco_dir.txtExploitThird Party Advisory
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.phpExploitThird Party Advisory
- https://packetstormsecurity.com/files/167684/ExploitThird Party AdvisoryVDB Entry
- https://www.zeroscience.mk/codes/carelpco_dir.txtExploitThird Party Advisory
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.phpExploitThird Party Advisory
FAQ
What is CVE-2022-37122?
CVE-2022-37122 is a vulnerability with a CVSS score of 7.5 (HIGH). Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, Application Software: 2.15.4A Software v16 13020200 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input pa...
How severe is CVE-2022-37122?
CVE-2022-37122 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-37122?
Check the references section above for vendor advisories and patch information. Affected products include: Carel Pcoweb Card Firmware, Carel Pcoweb Card, Carel Applica, Carel Pcoweb Hvac Bacnet Gateway.