Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered reflected XSS requires user interaction (UI:R), changes scope to victim's browser (S:C), enabling cookie theft (C:L) and unauthorized actions (I:L), with no availability impact.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Cross-Site Scripting (XSS) vulnerability in Intermark IT's WebControl CMS v3.5. This vulnerability allows an attacker to execute JavaScript code or inject a dynamic iframe into the victim’s browser by sending a malicious URL via the 'urlDestino' parameter in '/portal.do'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, display phishing interfaces, or perform actions on the user’s behalf.
AnalysisAI
Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively click a specially crafted URL containing the malicious 'urlDestino' parameter value directed at the '/portal.do' endpoint - this is an active user interaction requirement (UI:A per the CVSS 4.0 vector), not a passive page-load trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) reflects a nuanced risk profile: while network-accessible with no authentication required and low complexity (AV:N/AC:L/PR:N), exploitation requires user interaction (UI:A - active click), and the impact is confined to subsequent-system integrity (SI:L), with no confidentiality or availability impact on either the vulnerable or subsequent system per the vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL targeting the WebControl CMS portal endpoint with a malicious payload embedded in the 'urlDestino' parameter - for example, appending a script tag or iframe injection string - and delivers it to a target user via phishing email, social media, or a compromised website link. The victim, who holds an active authenticated session in the CMS, clicks the link and their browser executes the injected JavaScript, which exfiltrates the session cookie to an attacker-controlled server. … |
| Remediation | Upgrade to a patched version of WebControl CMS as directed by the vendor Intermark IT and the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-intermark-its-webcontrol-cms. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Webcontrol Cms
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40271
GHSA-865c-wrhg-fwg8