CVE-2019-25243
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| iWT Ltd. | FaceSentry Access Control System | 6.4.8 build 264 | affected |
| iWT Ltd. | FaceSentry Access Control System | 5.7.2 build 568 | affected |
| iWT Ltd. | FaceSentry Access Control System | 5.7.0 build 539 | affected |
Weaknesses
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://www.exploit-db.com/exploits/47064
- http://www.iwt.com.hk
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.