漏洞描述
pCOWeb是CAREL为其客户提供的管理HVAC/R的解决方案应用程序和系统。它由可编程控制器、用户界面,网关和通信接口,为原始设备制造商提供的远程管理系统在HVAC/R中工作是一个强大而灵活的控制系统,可以很容易地连接到更广泛使用的楼宇管理系统,也可以集成到专有监督系统。该系统存在目录遍历漏洞,攻击者可以读取到系统大部分文件
Carel pCOWeb HVAC BACnet Gateway 2.1.0 未经身份验证的目录遍历
PoC代码
暂无相关漏洞推荐
- POC CVE-2006-3392: Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure
- POC CVE-2011-3600: Apache OFBiz - XML External Entity Injection
- POC CVE-2015-8350: WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
- POC CVE-2016-15043: WP Mobile Detector <= 3.5 - Unrestricted File Upload
- POC CVE-2017-11107: phpLDAPadmin <= 1.2.3 - Reflected XSS
- POC CVE-2017-17762: Episerver 7 - Blind XML External Entity Injection
- POC CVE-2017-18580: WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
- POC CVE-2017-20192: Formidable Forms < 2.05.02 - Cross-Site Scripting
- POC CVE-2018-10245: AWStats <= 7.5 - Full Path Disclosure
- POC CVE-2018-6961: VMware NSX SD-WAN Edge - Command Injection
- POC CVE-2018-9206: Blueimp jQuery-File-Upload v9.22.0 - Unrestricted File Upload
- POC CVE-2019-11253: Kubernetes API Server - YAML Parsing DoS (Billion Laughs)
- POC CVE-2019-15823: WPS Hide Login <= 1.5.2.2 - Login Page Bypass