Webcontrol Cms
Monthly
Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 score of 5.1 reflects a meaningful subsequent-system integrity impact via the user's browser.
HTML injection in Intermark IT's WebControl CMS v3.5 enables unauthenticated remote attackers to embed malicious markup in outbound emails generated by the contact form, delivered to recipients such as site administrators. Exploitation targets three unsanitized parameters — 'nombreApellidos', 'dirección', and 'comentarios' — in a POST request to '/processContact.do', with the injected content rendered when the recipient opens the resulting email in an HTML-capable mail client. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 5.1 reflects limited scope impact confined to the recipient's mail client.
Reflected Cross-Site Scripting in Intermark IT's WebControl CMS v3.5 allows an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the 'urlDestino' parameter of the '/portal.do' endpoint. Successful exploitation enables session cookie theft, phishing overlay injection, and unauthorized actions performed within the victim's authenticated session context. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CVSS 4.0 score of 5.1 reflects a meaningful subsequent-system integrity impact via the user's browser.
HTML injection in Intermark IT's WebControl CMS v3.5 enables unauthenticated remote attackers to embed malicious markup in outbound emails generated by the contact form, delivered to recipients such as site administrators. Exploitation targets three unsanitized parameters — 'nombreApellidos', 'dirección', and 'comentarios' — in a POST request to '/processContact.do', with the injected content rendered when the recipient opens the resulting email in an HTML-capable mail client. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 4.0 score of 5.1 reflects limited scope impact confined to the recipient's mail client.