CVE-2019-7671

CRITICAL

Prima Systems FlexAir <2.3.38 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-7671. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Prima Access Control 2.3.35 by injecting a malicious script into the 'HwName' parameter via an authenticated HTTP POST request. The payload is stored and executed when accessed by other users.

Description

Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsalpha

https://www.exploit-db.com/exploits/47633

View Code ZIP pw:eip

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in Prima Access Control 2.3.35 by injecting a malicious script into the 'HwName' parameter via an authenticated HTTP POST request. The payload is stored and executed when accessed by other users.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Prima Access Control 2.3.35

Auth required

Prerequisites: Authenticated session with valid Session-ID · Access to the target application

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Not Applicable, Third Party Advisory x_refsource_misc

https://applied-risk.com/labs/advisories

Broken Link x_refsource_misc

https://applied-risk.com/index.php/download_file/view/199/165

Third Party Advisory x_refsource_misc

https://applied-risk.com/resources/ar-2019-007

Third Party Advisory, US Government Resource x_refsource_misc

https://www.us-cert.gov/ics/advisories/icsa-19-211-02

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155274/Prima-Access-Control-2.3.35-Cross-Site-Scripting.html

Scores

CVSS v3 9.0

EPSS 0.0826

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

primasystems/flexair < 2.3.38

Published Jun 05, 2019

Tracked Since Feb 18, 2026