CVE-2022-50963

Vulnerability

Overview

uBidAuction 2.0.1 contains a reflected cross-site scripting (XSS) vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters used in the filter functionality are not properly sanitized before being reflected in the response [1][2][3]. This allows an attacker to inject arbitrary HTML and JavaScript code via crafted GET requests.

Exploitation

The vulnerability is exploitable without authentication, as the filter parameters are processed directly from user input in the URL. An attacker can craft a malicious link containing a payload in one of the vulnerable parameters (e.g., date_from=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E) and trick a victim into clicking it [4]. The injected script executes in the context of the victim's browser session on the affected uBidAuction site.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement of the page, or redirection to malicious sites. The CVSS v3 score of 6.1 (Medium) reflects the need for user interaction and the non-persistent nature of the attack, but the impact on confidentiality and integrity is significant [1][3].

Mitigation

As of the latest available information, the vendor has not released a public patch for this vulnerability. Users are advised to apply input validation and output encoding on the affected parameters, or consider upgrading to a newer version if available. The vulnerability has been publicly disclosed and a proof-of-concept is available, increasing the risk of exploitation [2][4].