Description
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.
Published: 2026-06-30
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WebControl CMS version 3.5 contains an XSS flaw that allows an attacker to supply a malicious URL through the 'urlDestino' query parameter in the '/portal.do' endpoint. By injecting JavaScript or a dynamic iframe, the attacker can manipulate the victim’s browser, steal session cookies, display phishing interfaces, and perform actions on the user’s behalf. This vulnerability is a typical CWE‑79 instance that grants a moderate level of compromise to confidentiality and integrity.

Affected Systems

Intermark IT WebControl CMS 3.5 is impacted. No specific installation or configuration details are provided beyond the product version.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation evidence. Exploitation requires a remote attacker to craft a URL containing the malicious payload and persuade a legitimate user to visit '/portal.do?urlDestino=…'. Absent a vendor patch, the threat is mitigatable through input filtering and WAF rules, but the potential to surreptitiously obtain session data or launch phishing remains.

Generated by OpenCVE AI on June 30, 2026 at 10:22 UTC.

Remediation

Vendor Solution

No solution has been reported at this time.


OpenCVE Recommended Actions

  • Enforce strict validation and sanitization of the 'urlDestino' parameter or block its usage in the CMS.
  • Deploy a web application firewall rule that detects and blocks XSS payloads targeting '/portal.do' with the 'urlDestino' parameter.
  • Add a strict Content‑Security‑Policy header to the CMS responses to prevent execution of injected scripts.

Generated by OpenCVE AI on June 30, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.
Title Multiple vulnerabilities in Intermark IT's WebControl CMS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-30T13:14:14.775Z

Reserved: 2026-04-24T11:24:39.212Z

Link: CVE-2026-6954

cve-icon Vulnrichment

Updated: 2026-06-30T13:14:09.034Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T10:30:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')