Impact
WebControl CMS version 3.5 contains an XSS flaw that allows an attacker to supply a malicious URL through the 'urlDestino' query parameter in the '/portal.do' endpoint. By injecting JavaScript or a dynamic iframe, the attacker can manipulate the victim’s browser, steal session cookies, display phishing interfaces, and perform actions on the user’s behalf. This vulnerability is a typical CWE‑79 instance that grants a moderate level of compromise to confidentiality and integrity.
Affected Systems
Intermark IT WebControl CMS 3.5 is impacted. No specific installation or configuration details are provided beyond the product version.
Risk and Exploitability
The CVSS score of 5.1 indicates a medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation evidence. Exploitation requires a remote attacker to craft a URL containing the malicious payload and persuade a legitimate user to visit '/portal.do?urlDestino=…'. Absent a vendor patch, the threat is mitigatable through input filtering and WAF rules, but the potential to surreptitiously obtain session data or launch phishing remains.
OpenCVE Enrichment