CVE-2022-50952
Persistent XSS in Banco Guayaquil iOS App Profile Input
Publication date: 2026-02-01
Last updated on: 2026-02-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| banco_guayaquil | banco_guayaquil | 8.0.0 |
| banco_guayaquil | banco_guayaquil | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50952 is a persistent cross-site scripting (XSS) vulnerability in the Banco Guayaquil mobile iOS application version 8.0.0. It occurs in the TextBox Name Profile input field where attackers can inject malicious script code via a POST request. This malicious code is stored and executes every time the application is restarted and the profile is reviewed, without requiring any user interaction. The vulnerability arises due to insufficient input validation and improper neutralization of input, allowing persistent script execution within the app context. [2, 3]
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious scripts persistently within the Banco Guayaquil mobile app. This can lead to unauthorized actions, data manipulation, or exposure of sensitive information within the app context. Since the script executes without user interaction after injection, it can compromise user data integrity and application security. The attack requires restricted user privileges but can be performed remotely via network. The overall risk is medium severity. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject malicious script code into the TextBox Name Profile input field of the Banco Guayaquil iOS app via a POST request and then observing if the script executes persistently upon application restart and profile review. Detection involves monitoring POST requests to the profile name input and checking for script injection payloads such as JavaScript alerts or base64-encoded script tags. Since this is an application-level vulnerability, network detection might include capturing and analyzing POST requests to the app's backend for suspicious script content. Specific commands are not provided in the resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include properly encoding, securely parsing, and escaping all user inputs in the profile name TextBox field to prevent script injection. Additionally, sanitizing output locations where the injected code might execute is necessary to prevent persistent cross-site scripting. Users should avoid entering untrusted input into the profile name field until a patch is applied. Developers should apply patches or updates that address input validation and output sanitization to fix the vulnerability. [2]