CVE-2019-25277
published 2026-01-08CVE-2019-25277: FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.28%
19.5th percentile
FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | drupal_core | — | — |
| iwt | facesentry_access_control_system_firmware | — | — |
| iwt | facesentry_access_control_system_firmware | — | — |
| iwt | facesentry_access_control_system_firmware | — | — |
| iwt_ltd | facesentry_access_control_system | — | — |
| iwt_ltd | facesentry_access_control_system | — | — |
| iwt_ltd | facesentry_access_control_system | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pw9x-q8pw-5v65: FaceSentry Access Control System 6
ghsa_unreviewed·2026-01-08
CVE-2019-25277 [MEDIUM] CWE-79 GHSA-pw9x-q8pw-5v65: FaceSentry Access Control System 6
FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
vendor_drupal·2022-07-20
CVE-2022-25277 [HIGH] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
Title: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
Vulnerability Type: Arbitrary PHP code execution
Description: Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers. Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012 ) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010 ). However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-08
Published