CVE-2022-50962

uBidAuction 2.0.1, a PHP-based auction script, is vulnerable to a reflected cross-site scripting (XSS) attack in the orders/myOrders module. The filter functionality fails to sanitize the date_created, date_from, date_to, and created_at GET parameters, allowing injection of arbitrary HTML and JavaScript [1][4].

An attacker can craft a malicious URL containing a payload in one of these parameters and trick a victim into clicking it. No authentication is required; the script executes in the context of the victim's session. Proof-of-concept exploits have been published, demonstrating the injection of iframes and alert dialogs [2][3].

Successful exploitation enables an attacker to perform actions such as session hijacking, credential theft, or defacement within the user's browser. The CVSS v3 base score is 6.1 (Medium), reflecting the potential for data compromise and the ease of exploitation [4].

As of the publication date of this CVE, no official patch has been released by the vendor. Users are advised to implement input validation and output encoding as a workaround, or consider migrating to a supported solution [1].