Description
Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
Published: 2026-01-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that can let an authenticated attacker run arbitrary JavaScript in a victim’s browser via phishing
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the WellChoose Single Sign‑On Portal System that allows an authenticated remote attacker to embed and execute arbitrary JavaScript in a user's browser when the user clicks a phishing link. This client‑side code injection can compromise the integrity of the user’s session, steal credentials, or perform other malicious actions within the context of the authenticated session. The weakness is a classic input‑validation failure (CWE‑79).

Affected Systems

All installations of the WellChoose Single Sign‑On Portal System running a version earlier than IFTOP_P4_181 are affected, as the vendor recommends updating to that version or later to fix the flaw.

Risk and Exploitability

The listed CVSS score of 4.8 indicates moderate severity; however, exploitation requires the victim to be authenticated and to click a crafted link. The EPSS score of less than 1% suggests a very low probability of widespread exploitation, and the vulnerability is not in the CISA KEV catalog. Nonetheless, because the flaw can be triggered through phishing, the risk remains significant for environments where users may be exposed to social engineering attacks. The attack vector is limited to user interaction and authenticated sessions, but the impact on confidentiality and integrity can be substantial if successful.

Generated by OpenCVE AI on April 18, 2026 at 02:42 UTC.

Remediation

Vendor Solution

Update to version IFTOP_P4_181 or later.

OpenCVE Recommended Actions

  • Update to IFTOP_P4_181 or later
  • Ensure all user‑supplied data is properly escaped or encoded before rendering on web pages to prevent reflected XSS
  • Deploy a robust Content Security Policy that limits executable scripts to trusted sources
  • Conduct regular security awareness training to help users recognize and avoid phishing attempts that could exploit XSS

Generated by OpenCVE AI on April 18, 2026 at 02:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wellchoose:single_sign-on_portal_system:*:*:*:*:*:*:*:*

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wellchoose
Wellchoose single Sign-on Portal System
Vendors & Products Wellchoose
Wellchoose single Sign-on Portal System

Mon, 26 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.
Title WellChoose|Single Sign-On Portal System - Reflected Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wellchoose Single Sign-on Portal System
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-26T14:01:19.778Z

Reserved: 2026-01-26T07:22:00.544Z

Link: CVE-2026-1429

cve-icon Vulnrichment

Updated: 2026-01-26T14:01:16.208Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T09:15:47.603

Modified: 2026-03-11T22:44:48.973

Link: CVE-2026-1429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses