CVE-2022-50957
Analyzed Analyzed - Analysis Complete
Reflected XSS in Drupal Avatar Uploader Module

Publication date: 2026-05-10

Last updated on: 2026-06-04

Assigner: VulnCheck

Description
Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-06-04
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2022-50957
EUVD
EUVD-2022-55978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
avatar_uploader_project avatar_uploader 7.x-1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a reflected cross-site scripting (XSS) issue that allows attackers to execute arbitrary JavaScript in victim browsers by manipulating the file parameter. Such vulnerabilities can lead to unauthorized access to user data or session hijacking, which may impact the confidentiality and integrity of personal data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, reflected XSS vulnerabilities generally pose risks to data protection and privacy requirements mandated by these regulations. Exploitation could result in unauthorized disclosure or manipulation of personal data, potentially leading to non-compliance with such standards.

Executive Summary

CVE-2022-50957 is a reflected cross-site scripting (XSS) vulnerability in the Drupal avatar_uploader module version 7.x-1.0-beta8 or earlier.

This vulnerability allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter in the avatar_uploader.pages.inc file.

Attackers can craft URLs containing script payloads in this file parameter, which when visited by victims, execute arbitrary JavaScript in their browsers.

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript code in the browsers of users who visit a maliciously crafted URL.

Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the victim.

Since the attack requires only that a user clicks a crafted link, it can be exploited without authentication, increasing the risk.

Detection Guidance

This vulnerability can be detected by testing for reflected cross-site scripting (XSS) in the file parameter of the avatar_uploader.pages.inc script in the Drupal avatar_uploader module version 7.x-1.0-beta8 or earlier.

One approach is to craft URLs with script payloads injected into the file parameter and observe if the payload is executed in the browser, indicating the presence of the vulnerability.

Specific commands or automated tools are not provided in the available resources.

Mitigation Strategies

The provided resources do not specify immediate mitigation steps for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50957. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart