CVE-2019-25277

Summary

FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.

Affected Software

VendorProductVersion RangeStatus
iWT Ltd.FaceSentry Access Control System6.4.8affected
iWT Ltd.FaceSentry Access Control System5.7.2affected
iWT Ltd.FaceSentry Access Control System5.7.0affected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References