FaceSentry Access Control System 6.4.8 Reflected Cross-Site Scripting via pluginInstall.php

Advisories

severity: medium
date: January 7, 2026
Affecting: FaceSentry Access Control System 6.4.8, 5.7.2, 5.7.0
CVE: CVE-2019-25277
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: Zero Science Lab Vulnerability Advisory
Packet Storm Security Exploit Entry
CXSecurity Vulnerability Listing
IBM X-Force Vulnerability Exchange
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.