CVE-2019-25242

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tri...

medium 4.3 CVSS 3.1
Published: Dec 24, 2025
Modified: Dec 30, 2025
Vendor: Iwt
Product: Facesentry Access Control System Firmware
Versions: 5.7.0,5.7.2,6.4.8

Description

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.

References

Related CVEs

CVE-2019-25243 high · 8.8
FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to
CVE-2019-25241 critical · 9.8
FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure