CVE-2019-11370

MEDIUM EXPLOITED NUCLEI

Carel pCOWeb < B1.2.4 - Stored Cross-Site Scripting in System Contact Field

Title source: llm

Exploitation Summary

CVE-2019-11370 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Luca.Chiou. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Carel pCOWeb devices by injecting malicious JavaScript into the 'syscontact' field via a POST request to the SNMP configuration page. The payload is stored in the database and executed when the page is accessed.

Description

Stored XSS was discovered in Carel pCOWeb prior to B1.2.4, as demonstrated by the config/pw_snmp.html "System contact" field.

Exploits (1)

exploitdb WORKING POC

by Luca.Chiou · textwebappshardware

https://www.exploit-db.com/exploits/46897

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Carel pCOWeb devices by injecting malicious JavaScript into the 'syscontact' field via a POST request to the SNMP configuration page. The payload is stored in the database and executed when the page is accessed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Carel pCOWeb all versions prior to B1.2.1

Auth required

Prerequisites: Access to the target device's web interface · Valid credentials to modify SNMP settings

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Carel pCOWeb <B1.2.4 - Cross-Site Scripting

MEDIUMVERIFIEDby arafatansari

Shodan: http.html:"pCOWeb" || http.html:"pcoweb"

FOFA: body="pcoweb"

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://drive.google.com/open?id=1WkmtsCVNCtxwWH2fe9DtHow_Nedp1a7j

Exploit, Third Party Advisory x_refsource_misc

https://github.com/nepenthe0320/cve_poc/blob/master/CVE-2019-11370

View Exploit ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0398

EPSS Percentile 89.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2024-01-22

CWE

CWE-79

Status published

Products (1)

carel/pcoweb_card_firmware < b1.2.4

Published Jun 03, 2019

Tracked Since Feb 18, 2026