CVE-2022-50952
Unknown Unknown - Not Provided

Persistent XSS in Banco Guayaquil iOS App Profile Input

Vulnerability report for CVE-2022-50952, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description

Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-07-06
AI Q&A
2026-02-01
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
banco_guayaquil banco_guayaquil 8.0.0
banco_guayaquil banco_guayaquil to 8.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2022-50952 is a persistent cross-site scripting (XSS) vulnerability in the Banco Guayaquil mobile iOS application version 8.0.0. It occurs in the TextBox Name Profile input field where attackers can inject malicious script code via a POST request. This malicious code is stored and executes every time the application is restarted and the profile is reviewed, without requiring any user interaction. The vulnerability arises due to insufficient input validation and improper neutralization of input, allowing persistent script execution within the app context. [2, 3]

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious scripts persistently within the Banco Guayaquil mobile app. This can lead to unauthorized actions, data manipulation, or exposure of sensitive information within the app context. Since the script executes without user interaction after injection, it can compromise user data integrity and application security. The attack requires restricted user privileges but can be performed remotely via network. The overall risk is medium severity. [2, 3]

Detection Guidance

This vulnerability can be detected by attempting to inject malicious script code into the TextBox Name Profile input field of the Banco Guayaquil iOS app via a POST request and then observing if the script executes persistently upon application restart and profile review. Detection involves monitoring POST requests to the profile name input and checking for script injection payloads such as JavaScript alerts or base64-encoded script tags. Since this is an application-level vulnerability, network detection might include capturing and analyzing POST requests to the app's backend for suspicious script content. Specific commands are not provided in the resources. [2, 3]

Mitigation Strategies

Immediate mitigation steps include properly encoding, securely parsing, and escaping all user inputs in the profile name TextBox field to prevent script injection. Additionally, sanitizing output locations where the injected code might execute is necessary to prevent persistent cross-site scripting. Users should avoid entering untrusted input into the profile name field until a patch is applied. Developers should apply patches or updates that address input validation and output sanitization to fix the vulnerability. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart