CVE-2019-25277

Name of the Vulnerable Software and Affected Versions FaceSentry Access Control System version 6.4.8

Description The FaceSentry Access Control System is affected by a cross-site scripting issue in the msg parameter of the pluginInstall.php file. This allows attackers to inject malicious scripts. Exploiting this unvalidated input can lead to the execution of arbitrary JavaScript in a victim’s browser, potentially resulting in the theft of authentication credentials and phishing attacks.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict or disable access to the pluginInstall.php file. Sanitize the msg parameter before processing it to prevent the injection of malicious scripts.