CVE-2022-50967
Received Received - Intake
Reflected XSS in uBidAuction 2.0.1 Tickets Module

Publication date: 2026-05-10

Last updated on: 2026-05-10

Assigner: VulnCheck

Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-10
Generated
2026-06-19
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2022-50967
EUVD
EUVD-2022-55988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ubidauction ubidauction 2.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the reflected cross-site scripting (XSS) vulnerability in uBidAuction 2.0.1 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2022-50967 is a reflected cross-site scripting (XSS) vulnerability found in uBidAuction version 2.0.1, specifically in the tickets/manage module.

The vulnerability arises because the parameters date_created, date_from, date_to, and created_at in the filter functionality are not properly sanitized.

This improper input sanitization allows remote attackers to craft GET requests containing malicious scripts that get executed in the browsers of victims when they access the affected functionality.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of users who visit the affected pages.

Such script execution can lead to theft of sensitive information like cookies, session tokens, or other private data accessible to the browser.

It can also enable attackers to perform actions on behalf of the victim, potentially leading to account compromise or unauthorized operations.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or crafted GET requests targeting the tickets/manage module, specifically those including the parameters date_created, date_from, date_to, and created_at with potentially malicious script content.

You can use network traffic inspection tools or web server logs to identify such requests.

  • Use curl or wget to manually test the parameters with script payloads, for example: curl "http://yourserver/tickets/manage?date_created=<script>alert(1)</script>"
  • Use grep or similar tools on web server logs to search for suspicious script tags in the relevant parameters.
  • Employ web vulnerability scanners that support reflected XSS detection on the affected endpoints.
Mitigation Strategies

Immediate mitigation steps include implementing proper input sanitization and validation on the date_created, date_from, date_to, and created_at parameters in the tickets/manage module to prevent injection of malicious scripts.

Additionally, consider applying any available patches or updates from the vendor that address this vulnerability.

As a temporary measure, you can also employ web application firewalls (WAFs) to block requests containing suspicious script content in these parameters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart