CVE-2019-25242

Summary

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.

Affected Software

VendorProductVersion RangeStatus
iWT Ltd.FaceSentry Access Control System6.4.8affected
iWT Ltd.FaceSentry Access Control System5.7.2affected
iWT Ltd.FaceSentry Access Control System5.7.0affected

Weaknesses

  • CWE-352: Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References