CVE-2019-25277
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
Analysis
Facesentry Access Control System Firmware versions up to 5.7.0 is affected by cross-site scripting (xss) (CVSS 6.1).
Technical Context
This vulnerability (CWE-79: Cross-site Scripting (XSS)) affects Facesentry Access Control System Firmware. FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
Affected Products
Vendor: Iwt. Product: Facesentry Access Control System Firmware. Versions: up to 5.7.0.
Remediation
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today