CVE-2019-25243

Name of the Vulnerable Software and Affected Versions FaceSentry version 6.4.8

Description FaceSentry 6.4.8 has a remote command injection issue in the pingTest.php and tcpPortTest.php scripts. An attacker with authentication can inject and execute arbitrary shell commands with root privileges. This is possible by manipulating the strInIP and strInPort parameters, which are not properly sanitized.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the pingTest.php and tcpPortTest.php scripts. Sanitize the strInIP and strInPort parameters before processing them in the pingTest.php and tcpPortTest.php scripts.