Facesentry Access Control System Firmware

facesentry_access_control_system_firmware

Vendor: Iwt • 7 CVEs

CVEs (7)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-25279 1Iwt 1Facesentry Access Control System Firmware Jan 16, 2026 Jan 8, 2026 6.8 MEDIUM· v4 7.5 HIGH· v3 N/A· v2 FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive lo...Show more FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.Show less
CVE-2019-25278 1Iwt 1Facesentry Access Control System Firmware Jan 16, 2026 Jan 8, 2026 9.1 CRITICAL· v4 5.9 MEDIUM· v3 N/A· v2 FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP...Show more FaceSentry Access Control System 6.4.8 contains a cleartext transmission vulnerability that allows remote attackers to intercept authentication credentials. Attackers can perform man-in-the-middle attacks to capture HTTP cookie authentication information during network communication.Show less
CVE-2019-25277 1Iwt 1Facesentry Access Control System Firmware Jan 22, 2026 Jan 8, 2026 5.1 MEDIUM· v4 6.1 MEDIUM· v3 N/A· v2 FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated in...Show more FaceSentry Access Control System 6.4.8 contains a cross-site scripting vulnerability in the 'msg' parameter of pluginInstall.php that allows attackers to inject malicious scripts. Attackers can exploit the unvalidated input to execute arbitrary JavaScript in victim browsers, potentially stealing authentication credentials and conducting phishing attacks.Show less
CVE-2019-25243 1Iwt 1Facesentry Access Control System Firmware Dec 30, 2025 Dec 24, 2025 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell comm...Show more FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.Show less
CVE-2019-25242 1Iwt 1Facesentry Access Control System Firmware Dec 30, 2025 Dec 24, 2025 5.1 MEDIUM· v4 4.3 MEDIUM· v3 N/A· v2 FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change a...Show more FaceSentry Access Control System 6.4.8 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change administrator passwords, add new admin users, or open access control doors by tricking authenticated users into loading a specially crafted webpage.Show less
CVE-2019-25241 1Iwt 1Facesentry Access Control System Firmware Dec 31, 2025 Dec 24, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privi...Show more FaceSentry Access Control System 6.4.8 contains a critical authentication vulnerability with hard-coded SSH credentials for the wwwuser account. Attackers can leverage the insecure sudoers configuration to escalate privileges and gain root access by executing sudo commands without authentication.Show less
CVE-2020-21999 1Iwt 1Facesentry Access Control System Firmware Nov 21, 2024 May 4, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root...Show more iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.Show less