PT-2021-10714 · Iwt · Facesentry Access Control System

Gjoko Krstic

Published

2021-05-04

Updated

2021-05-11

CVE-2020-21999

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions iWT Ltd FaceSentry Access Control System version 6.4.8

Description The issue allows for authenticated OS command injection using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the strInIP parameter in the pingTest PHP script.

Recommendations For version 6.4.8, avoid using the strInIP parameter in the pingTest PHP script until the issue is resolved. Consider restricting access to the pingTest PHP script to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2020-21999

Affected Products

Facesentry Access Control System

PT-2021-10714 · Iwt · Facesentry Access Control System

CVE-2020-21999

Weakness Enumeration

Related Identifiers

Affected Products

References · 4