7 matches found
CVE-2020-21999
CVE-2020-21999 affects iWT FaceSentry Access Control System (Firmware 6.4.8, 5.7.x) where an authenticated OS command injection is possible via the strInIP POST parameter in pingTest.php. The vulnerability uses default credentials and executes sudo ping with user-supplied input, enabling arbitrar...
CVE-2019-25279
The CVE-2019-25279 entry applies to the FaceSentry Access Control System version 6.4.8. The vulnerability stems from cleartext password storage inside the device’s SQLite database, allowing an attacker to read credentials directly from /faceGuard/database/FaceSentryWeb.sqlite without authenticati...
CVE-2019-25243
FaceSentry 6.4.8 has an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php. The root cause is unsanitized inputs in strInIP/strInPort, enabling arbitrary shell commands with root privileges. Affected product: FaceSentry 6.4.8. Impact is described as high. Rem...
CVE-2019-25241
FaceSentry Access Control System 6.4.8 contains a critical authentication flaw: hard-coded SSH credentials for the wwwuser and an insecure sudoers configuration allow privilege escalation to root via sudo without authentication. This is documented across multiple sources (EUVD-2025-205313, NVD, C...
CVE-2019-25278
FaceSentry Access Control System 6.4.8 is vulnerable to a cleartext transmission issue that enables remote attackers to perform MiTM attacks and intercept authentication credentials (e.g., HTTP cookie data) during network communications. The vulnerability stems from transmitting credentials in cl...
CVE-2019-25242
The CVE covers FaceSentry Access Control System version 6.4.8, where a cross-site request forgery (CSRF) vulnerability enables an attacker to perform administrative actions without user consent by persuading an authenticated user to load a crafted page. The vulnerability targets the web interface...
CVE-2019-25277
FaceSentry Access Control System 6.4.8 is affected by a cross-site scripting vulnerability in the msg parameter of pluginInstall.php due to unvalidated input. The issue allows injection of arbitrary JavaScript in victim browsers, with potential credential theft and phishing. Affected component: F...