Cross-Site Scripting Vulnerability in FaceSentry Access Control System by CyberSecure
CVE-2019-25277

5.1MEDIUM

Key Information:

Vendor

Iwt Ltd.

Status
Facesentry Access Control System
Vendor
CVE Published:
7 January 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2019-25277?

The FaceSentry Access Control System version 6.4.8 contains a cross-site scripting vulnerability that affects the 'msg' parameter of the pluginInstall.php file. This vulnerability allows attackers to inject malicious scripts through unvalidated input. Once exploited, the injected JavaScript can execute in the browsers of unsuspecting users, posing a significant risk of credential theft and enabling phishing attempts. Ensuring proper input validation and sanitization is essential to mitigate this risk and protect user data.

Affected Version(s)

FaceSentry Access Control System 6.4.8

FaceSentry Access Control System 5.7.2

FaceSentry Access Control System 5.7.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-25277 - Proof of Concept

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-55...
third-party-advisory
https://packetstormsecurity.com/files/153494
exploit
https://cxsecurity.com/issue/WLB-2019070017
third-party-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

LiquidWorm as Gjoko Krstic of Zero Science Lab
JSON
.