CVE-2019-25243 | THREATINT

Description

FaceSentry 6.4.8 contains an authenticated remote command injection vulnerability in pingTest.php and tcpPortTest.php scripts. Attackers can exploit unsanitized input parameters to inject and execute arbitrary shell commands with root privileges by manipulating the 'strInIP' and 'strInPort' parameters.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

6.4.8 build 264

affected

5.7.2 build 568

affected

5.7.0 build 539

affected

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php exploit

www.exploit-db.com/exploits/47064 (ExploitDB-47064) exploit

www.iwt.com.hk (Official Product Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php (Zero Science Lab Disclosure (ZSL-2019-5523)) third-party-advisory

cve.org (CVE-2019-25243)

nvd.nist.gov (CVE-2019-25243)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.

help @ threatint.eu