Description
HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', 'dirección ', and 'comentarios ' parameters to '/processContact.do'.
Published: 2026-06-30
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A web‑based HTML injection flaw exists in Intermark IT's WebControl CMS version 3.5. By sending a crafted request containing malicious HTML in the "nombreApellidos", "dirección", and "comentarios" fields to the /processContact.do endpoint, an attacker can cause the CMS to include that HTML in an email it sends to a victim. The injected content may be executed when the victim views the email, leading to cross‑site scripting (XSS) in the email client, phishing, or the spread of additional malicious payloads.

Affected Systems

Intermark IT WebControl CMS version 3.5 is affected. No other vendors or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate seriousness. The EPSS score is not available, and the vulnerability is not in CISA's KEV list, suggesting no current widespread exploitation reports. Exploitation requires remote access to the web application's form endpoint and the ability to craft an HTTP POST request with the specified parameters. Because the vulnerability is tied to a publicly accessible contact form, attackers could target the site without additional privileges, making it a remote, network‑level threat.

Generated by OpenCVE AI on June 30, 2026 at 10:52 UTC.

Remediation

Vendor Solution

No solution has been reported at this time.

OpenCVE Recommended Actions

  • Vendor has not released a patch; monitor vendor updates for a fix.
  • Sanitize all form inputs on the server side, stripping or escaping HTML tags from "nombreApellidos", "dirección", and "comentarios" before processing or embedding them.
  • Implement a content‑filtering rule on outgoing mail to detect and block emails that contain unexpected or suspicious HTML fragments.
  • Disable or restrict the use of the /processContact.do endpoint until a vendor patch is released or an approved input‑validation solution is in place.

Generated by OpenCVE AI on June 30, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description HTML injection vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to send an email containing malicious HTML code to a victim via the contact form. To exploit this vulnerability, the attacker must send a request using the 'nombreApellidos', 'dirección ', and 'comentarios ' parameters to '/processContact.do'.
Title Multiple vulnerabilities in Intermark IT's WebControl CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-30T12:34:57.813Z

Reserved: 2026-04-24T11:24:36.307Z

Link: CVE-2026-6953

cve-icon Vulnrichment

Updated: 2026-06-30T12:34:53.276Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T11:00:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')