CVE-2022-50952
Unknown Unknown - Not Provided
Persistent XSS in Banco Guayaquil iOS App Profile Input

Publication date: 2026-02-01

Last updated on: 2026-02-01

Assigner: VulnCheck

Description
Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-01
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-14
NVD
CVE-2022-50952
EUVD
EUVD-2022-55945
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
banco_guayaquil banco_guayaquil 8.0.0
banco_guayaquil banco_guayaquil to 8.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50952 is a persistent cross-site scripting (XSS) vulnerability in the Banco Guayaquil mobile iOS application version 8.0.0. It occurs in the TextBox Name Profile input field where attackers can inject malicious script code via a POST request. This malicious code is stored and executes every time the application is restarted and the profile is reviewed, without requiring any user interaction. The vulnerability arises due to insufficient input validation and improper neutralization of input, allowing persistent script execution within the app context. [2, 3]

Impact Analysis

This vulnerability can impact users by allowing attackers to execute malicious scripts persistently within the Banco Guayaquil mobile app. This can lead to unauthorized actions, data manipulation, or exposure of sensitive information within the app context. Since the script executes without user interaction after injection, it can compromise user data integrity and application security. The attack requires restricted user privileges but can be performed remotely via network. The overall risk is medium severity. [2, 3]

Detection Guidance

This vulnerability can be detected by attempting to inject malicious script code into the TextBox Name Profile input field of the Banco Guayaquil iOS app via a POST request and then observing if the script executes persistently upon application restart and profile review. Detection involves monitoring POST requests to the profile name input and checking for script injection payloads such as JavaScript alerts or base64-encoded script tags. Since this is an application-level vulnerability, network detection might include capturing and analyzing POST requests to the app's backend for suspicious script content. Specific commands are not provided in the resources. [2, 3]

Mitigation Strategies

Immediate mitigation steps include properly encoding, securely parsing, and escaping all user inputs in the profile name TextBox field to prevent script injection. Additionally, sanitizing output locations where the injected code might execute is necessary to prevent persistent cross-site scripting. Users should avoid entering untrusted input into the profile name field until a patch is applied. Developers should apply patches or updates that address input validation and output sanitization to fix the vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart