CVE-2022-50964

Vulnerability

Overview uBidAuction 2.0.1 contains a reflected cross-site scripting (XSS) vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters used in the filter functionality are not properly sanitized before being reflected in the response [2][3]. This allows an attacker to inject arbitrary HTML and JavaScript code.

Exploitation

Details The vulnerability is triggered via a crafted GET request. An attacker can embed malicious script in one of the unsanitized parameters and trick a victim into clicking the link. No authentication is required for the attacker to craft the URL, but the victim must be logged into the application for the injected script to execute in their session context [2][4]. The provided proof-of-concept demonstrates injecting an iframe with an onload event that triggers alert(document.cookie) [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement, or other actions performed within the context of the victim's session. The CVSS v3 base score is 6.1 (Medium), reflecting the need for user interaction and the potential for partial impact on confidentiality and integrity [3].

Mitigation

Status The vendor was notified in September 2022, but no official patch has been confirmed in the available references [2]. Users are advised to implement input sanitization for the affected parameters or consider migrating to a supported alternative if the product is no longer maintained.