← Back
2025-12-24 19:27CVE-2019-25242VulnCheck
PUBLISHED5.2CWE-352

FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery via Web Interface

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.

Problem type

Affected products

iWT Ltd.

FaceSentry Access Control System

6.4.8 - AFFECTED

5.7.2 - AFFECTED

5.7.0 - AFFECTED

References

ExploitDB-47065

https://www.exploit-db.com/exploits/47065

exploit
Vendor Product Homepage

http://www.iwt.com.hk

product
Zero Science Lab Disclosure (ZSL-2019-5524)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php

third-party-advisory

GitHub Security Advisories

GHSA-p43h-75mm-qgfv

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that...

https://github.com/advisories/GHSA-p43h-75mm-qgfv

FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2019-25242

exploit-db.com

https://www.exploit-db.com/exploits/47065

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php

iwt.com.hk

http://www.iwt.com.hk

github.com

https://github.com/advisories/GHSA-p43h-75mm-qgfv

JSON source

https://cveawg.mitre.org/api/cve/CVE-2019-25242
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2019-25242",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:23:12.300Z",
    "dateReserved": "2025-12-24T14:27:12.476Z",
    "datePublished": "2025-12-24T19:27:58.523Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:27:58.523Z"
      },
      "datePublic": "2019-05-28T00:00:00.000Z",
      "title": "FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery via Web Interface",
      "descriptions": [
        {
          "lang": "en",
          "value": "FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage."
        }
      ],
      "affected": [
        {
          "vendor": "iWT Ltd.",
          "product": "FaceSentry Access Control System",
          "versions": [
            {
              "version": "6.4.8",
              "status": "affected"
            },
            {
              "version": "5.7.2",
              "status": "affected"
            },
            {
              "version": "5.7.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross-Site Request Forgery (CSRF)",
              "cweId": "CWE-352",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/47065",
          "name": "ExploitDB-47065",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "http://www.iwt.com.hk",
          "name": "Vendor Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php",
          "name": "Zero Science Lab Disclosure (ZSL-2019-5524)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:23:12.300Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}