FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery via Web Interface

Advisories

severity: medium
date: December 24, 2025
Affecting: FaceSentry Access Control System 6.4.8, 5.7.2, 5.7.0
CVE: CVE-2019-25242
CWE: CWE-352 Cross-Site Request Forgery (CSRF)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-47065
Vendor Product Homepage
Zero Science Lab Disclosure (ZSL-2019-5524)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.