CVE-2022-50966

Vulnerability

Description

uBidAuction 2.0.1 contains a reflected cross-site scripting (XSS) vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters used in the filter functionality are not properly sanitized before being reflected in the response [2][4]. This allows an attacker to inject arbitrary JavaScript or HTML via crafted GET requests.

Exploitation

Exploitation requires no authentication and can be performed by sending a malicious link to a victim. The attacker crafts a URL containing a JavaScript payload in one of the vulnerable parameters. When the victim clicks the link, the script executes in the context of the victim's browser, making it a classic reflected XSS attack [3].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, credential theft, or defacement. The CVSS v3 score is 6.1, indicating medium severity.

Mitigation

The vendor has not released a patch as of the latest information. Users are advised to apply input validation and output encoding to these parameters. The vulnerability is disclosed publicly with a working Proof of Concept [3][4].