CVE-2020-21999

high

Description

iWT Ltd FaceSentry Access Control System 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php

https://www.exploit-db.com/exploits/47066

Details

Source: Mitre, NVD

Published: 2021-05-04

Updated: 2021-05-11

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High