CVE-2022-50969
Reflected XSS in uBidAuction Backend MailingLog Module
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ubidauction | ubidauction | 2.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50969 is a reflected cross-site scripting (XSS) vulnerability found in uBidAuction version 2.0.1, specifically in the backend/mailingLog/manage module.
The vulnerability occurs because the filter functionality parameters date_created, date_from, date_to, and created_at are not properly sanitized. This allows remote attackers to inject malicious scripts via crafted GET requests.
When a victim accesses a crafted URL, the injected script executes in their browser, potentially leading to unauthorized actions or data exposure.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of users who access the vulnerable module.
- Attackers can steal session cookies or other sensitive information.
- It can lead to unauthorized actions performed on behalf of the victim.
- It may result in defacement or manipulation of the web interface.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted GET requests to the backend/mailingLog/manage module, specifically targeting the date_created, date_from, date_to, and created_at parameters to check if they are properly sanitized.
For example, you can use curl commands to test for reflected cross-site scripting by injecting script tags or JavaScript payloads into these parameters and observing if the response reflects the injected code without proper encoding or sanitization.
- curl -G 'http://your-target/backend/mailingLog/manage' --data-urlencode 'date_created=<script>alert(1)</script>'
- curl -G 'http://your-target/backend/mailingLog/manage' --data-urlencode 'date_from=<script>alert(1)</script>'
- curl -G 'http://your-target/backend/mailingLog/manage' --data-urlencode 'date_to=<script>alert(1)</script>'
- curl -G 'http://your-target/backend/mailingLog/manage' --data-urlencode 'created_at=<script>alert(1)</script>'
If the response contains the injected script tags without sanitization, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user-supplied input in the date_created, date_from, date_to, and created_at parameters to prevent injection of malicious scripts.
Additionally, applying any available patches or updates from the vendor for uBidAuction version 2.0.1 is recommended.
As a temporary measure, restricting access to the backend/mailingLog/manage module to trusted users or IP addresses can reduce exposure.
Implementing Content Security Policy (CSP) headers can also help mitigate the impact of any reflected XSS attacks.