CVE-2022-50964
Reflected XSS in uBidAuction 2.0.1 Filter Parameters
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ubidauction | ubidauction | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50964 is a reflected cross-site scripting (XSS) vulnerability found in uBidAuction version 2.0.1 and earlier, specifically in the "auctions/myAuctions/status/loose" module.
The vulnerability arises because the filter functionality does not properly sanitize certain parameters: date_created, date_from, date_to, and created_at.
Attackers can exploit this flaw by sending specially crafted GET requests containing malicious scripts. These scripts then execute in the browsers of users who receive the response, potentially compromising their security.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to execute malicious scripts in the browsers of users interacting with the affected module.
- Execution of malicious scripts can lead to theft of sensitive information such as cookies, session tokens, or other private data.
- Attackers might perform actions on behalf of the victim, leading to unauthorized operations.
- It can degrade user trust and potentially lead to further exploitation of the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP GET requests to the affected module path "auctions/myAuctions/status/loose" and inspecting the parameters date_created, date_from, date_to, and created_at for suspicious or malicious script content.
A practical approach is to use network traffic analysis tools or web server logs to identify requests containing script tags or unusual payloads in these parameters.
Example commands to detect such attempts include:
- Using grep on web server logs to find suspicious GET requests: grep -iE 'date_created=|date_from=|date_to=|created_at=' /var/log/apache2/access.log | grep -i '<script>'
- Using curl to test the endpoint with a crafted payload: curl -G 'http://target/auctions/myAuctions/status/loose' --data-urlencode "date_created=<script>alert(1)</script>"
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Apply input validation and sanitization on the date_created, date_from, date_to, and created_at parameters to prevent injection of malicious scripts.
- If a patch or updated version of uBidAuction is available, upgrade to the fixed version to address the vulnerability.
- Implement web application firewall (WAF) rules to detect and block malicious payloads targeting these parameters.
- Educate users to avoid clicking on suspicious links that may exploit this reflected XSS vulnerability.