CVE-2019-9484
Summary
| CVE | CVE-2019-9484 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2019-03-01 07:29:00 UTC |
|---|
| Updated | 2023-11-07 03:13:00 UTC |
|---|
| Description | The Glen Dimplex Deutschland GmbH implementation of the Carel pCOWeb configuration tool allows remote attackers to obtain access via an HTTP session on port 10000, as demonstrated by reading the modem password (which is 1234), or reconfiguring "party mode" or "vacation mode." |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Insecure permissions in Glen Dimplex Deutschland GmbH implementation of Carel pCOWeb configuration tool exposes brine-to-water heat pumps to remote attackers. | by Sergiu Sechel | Medium |
|
medium.com |
|
| Insecure permissions in Glen Dimplex Deutschland GmbH implementation of Carel pCOWeb configuration tool exposes brine-to-water heat pumps to remote attackers. | by Sergiu Sechel | Medium |
MISC |
medium.com |
Exploit, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|
| Glen Dimplex Deutschland GmbH | 2020-05-29 | Bernd Muller | Glen Dimplex Deutschland GmbH does not deliver the Carel pCOweb card with an open port 10000 or 10001. The shown password ‘1234’ on the webpage is not being used in any current application. It was being used in former times together with a connection via modem, this is not realized anymore. More details to the current application: www.dimplex.de/wiki. |
There are currently no legacy QID mappings associated with this CVE.
