CVE-2022-50965

Vulnerability

Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript via crafted GET requests [4]. This issue is classified as a non-persistent XSS and has been assigned CVE-2022-50965.

Exploitation

The vulnerability can be exploited remotely by sending a maliciously crafted URL to a victim. The victim must be logged into the application for the script to execute in their browser context. Publicly available proof-of-concept examples demonstrate injection of iframes and script tags that trigger on page load, such as: https://bid-auction.localhost:8080/orders/myOrders?order_number=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E [3]. No authentication is required to trigger the vulnerability; the attacker simply needs to convince a user to click the link.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session cookie theft, account takeover, defacement, or redirection to malicious sites. The CVSS v3 score of 6.1 reflects the medium severity of this reflected XSS, which requires user interaction [4].

Mitigation

As of the latest advisory, no official patch has been confirmed by the vendor [2]. Users are advised to apply input validation and output encoding on all date parameters in the posts/manage module. A web application firewall (WAF) may also help block malicious payloads. Until a fix is available, avoiding clicking unsolicited links and using browser XSS filters can reduce risk.