6.1
CVE-2019-25277
- EPSS 0.28%
- Veröffentlicht 07.01.2026 23:11:06
- Zuletzt bearbeitet 22.01.2026 13:47:52
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
FaceSentry Access Control System 6.4.8 Reflected Cross-Site Scripting via pluginInstall.php
FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Iwt ≫ Facesentry Access Control System Firmware Version5.7.0
Iwt ≫ Facesentry Access Control System Firmware Version5.7.2
Iwt ≫ Facesentry Access Control System Firmware Version6.4.8
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.193 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 5.1 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| disclosure@vulncheck.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5527.php
https://packetstormsecurity.com/files/153494
https://cxsecurity.com/issue/WLB-2019070017
https://exchange.xforce.ibmcloud.com/vulnerabilities/163191