CVE-2019-7671

CRITICAL

Prima Systems FlexAir <2.3.38 - RCE

Title source: llm

Description

Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsalpha

https://www.exploit-db.com/exploits/47633

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/155274/Prima-Access-Control-2.3.35-Cross-Site-Scripting.html

[Broken Link] https://applied-risk.com/index.php/download_file/view/199/165

[Not Applicable, Third Party Advisory] https://applied-risk.com/labs/advisories

[Third Party Advisory] https://applied-risk.com/resources/ar-2019-007

[Third Party Advisory, US Government Resource] https://www.us-cert.gov/ics/advisories/icsa-19-211-02

Scores

CVSS v3 9.0

EPSS 0.1349

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

primasystems/flexair < 2.3.38

Published Jun 05, 2019

Tracked Since Feb 18, 2026