CVE-2022-37122

Name of the Vulnerable Software and Affected Versions Carel pCOWeb HVAC BACnet Gateway versions 2.1.0, Firmware A2.1.0 through B2.1.0, Application Software 2.15.4A Software v16 13020200

Description The Carel pCOWeb HVAC BACnet Gateway is affected by an unauthenticated arbitrary file disclosure issue. Input provided through the file GET parameter to the logdownload.cgi Bash script is not sufficiently validated before being used to download log files. This allows for the disclosure of arbitrary and sensitive files through directory traversal attacks.

Recommendations Carel pCOWeb HVAC BACnet Gateway version 2.1.0, Firmware A2.1.0 through B2.1.0, and Application Software 2.15.4A Software v16 13020200: Ensure proper validation of the file parameter in the logdownload.cgi script to prevent directory traversal.