CVE-2019-7671

moderate-risk
Published 2019-06-05

Prima Systems FlexAir, Versions 2.3.38 and prior. Parameters sent to scripts are not properly sanitized before being returned to the user, which may allow an attacker to execute arbitrary code in a user’s browser session in context of an affected site.

Do I need to act?

!
13.5% chance of exploitation in next 30 days
EPSS score — higher than 87% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
47633
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Primasystems

References (10)

Exploit http://packetstormsecurity.com/files/155274/Prima-Access-Control-2.3.35-Cross-Si...
Broken Link https://applied-risk.com/index.php/download_file/view/199/165
Not Applicable https://applied-risk.com/labs/advisories
Third Party Advisory https://applied-risk.com/resources/ar-2019-007
Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-19-211-02
Exploit http://packetstormsecurity.com/files/155274/Prima-Access-Control-2.3.35-Cross-Si...
Broken Link https://applied-risk.com/index.php/download_file/view/199/165
Not Applicable https://applied-risk.com/labs/advisories
Third Party Advisory https://applied-risk.com/resources/ar-2019-007
Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-19-211-02
47
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 12/34 · Low
Exposure 5/34 · Minimal