Skip to main content

Webcontrol Cms

2 CVEs product

Monthly

CVE-2026-6954 MEDIUM This Month

Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 score of 5.1 reflects a meaningful subsequent-system integrity impact via the user's browser.

XSS Webcontrol Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2026-6953 MEDIUM This Month

HTML injection in Intermark IT's WebControl CMS v3.5 enables unauthenticated remote attackers to embed malicious markup in outbound emails generated by the contact form, delivered to recipients such as site administrators. Exploitation targets three unsanitized parameters — 'nombreApellidos', 'dirección', and 'comentarios' — in a POST request to '/processContact.do', with the injected content rendered when the recipient opens the resulting email in an HTML-capable mail client. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 5.1 reflects limited scope impact confined to the recipient's mail client.

XSS Webcontrol Cms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 score of 5.1 reflects a meaningful subsequent-system integrity impact via the user's browser.

XSS Webcontrol Cms
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

HTML injection in Intermark IT's WebControl CMS v3.5 enables unauthenticated remote attackers to embed malicious markup in outbound emails generated by the contact form, delivered to recipients such as site administrators. Exploitation targets three unsanitized parameters — 'nombreApellidos', 'dirección', and 'comentarios' — in a POST request to '/processContact.do', with the injected content rendered when the recipient opens the resulting email in an HTML-capable mail client. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 5.1 reflects limited scope impact confined to the recipient's mail client.

XSS Webcontrol Cms
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy