CVE-2019-25277
Unknown Unknown - Not Provided
Cross-Site Scripting in FaceSentry PluginInstall.php Enables Credential Theft

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: VulnCheck

Description
FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25277
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
iwt_ltd facesentry_access_control_system 6.4.8
iwt_ltd facesentry_access_control_system 5.7.2
iwt_ltd facesentry_access_control_system 5.7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) flaw in the FaceSentry Access Control System version 6.4.8 and earlier. It occurs because the 'msg' parameter in the pluginInstall.php script does not properly sanitize user input. An attacker can exploit this by injecting malicious JavaScript code that executes in the browser of a user visiting the affected site, potentially leading to theft of authentication cookies and enabling phishing attacks. [1, 2]

Impact Analysis

Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the victim's browser within the context of the FaceSentry system. This can lead to theft of cookie-based authentication credentials, enabling unauthorized access, as well as phishing attacks and other malicious activities that compromise user security and privacy. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the 'msg' parameter in the pluginInstall.php script for reflected cross-site scripting (XSS). You can use tools like curl or a web browser to send crafted requests that include script tags in the 'msg' parameter and observe if the script executes or is reflected unsanitized in the response. For example, you can run a command like: curl -v "http://<target>/pluginInstall.php?msg=<script>alert(1)</script>" and check if the response contains the injected script code. Additionally, using web vulnerability scanners that test for reflected XSS on parameters can help detect this issue. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the affected pluginInstall.php script to trusted users only, applying input validation and sanitization on the 'msg' parameter to prevent script injection, and monitoring for suspicious activity. If possible, update or patch the FaceSentry Access Control System to a version where this vulnerability is fixed. If no patch is available, consider disabling the vulnerable functionality or isolating the device from untrusted networks to reduce exposure. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart