CVE-2022-50967

Vulnerability

Overview CVE-2022-50967 describes a reflected cross-site scripting (XSS) vulnerability in uBidAuction version 2.0.1. The flaw resides in the tickets/manage module, specifically within the filter functionality. The parameters date_created, date_from, date_to, and created_at are not properly sanitized before being reflected in the server's response [2][4]. This allows an attacker to inject arbitrary HTML and JavaScript through crafted GET requests.

Exploitation

To exploit this vulnerability, an attacker needs to craft a malicious URL containing a script payload in one of the unsanitized parameters listed above. A proof-of-concept (PoC) published by Vulnerability-Labs demonstrates the injection of an <iframe> element that triggers an alert(document.cookie) upon page load [3]. The attack can be launched remotely without authentication, as the vulnerable endpoint is accessible to any user who can trigger the filter functionality.

Impact

Successful exploitation leads to reflected XSS execution in the victim's browser. An attacker could steal session cookies, redirect the user to malicious sites, or perform actions on behalf of the victim within the application's context. The CVSS v3 base score is 6.1 (Medium), reflecting the need for user interaction (e.g., clicking a link) [1].

Mitigation

As of the latest disclosures, the vendor (ApPHP) has been notified but no official patch or fix has been confirmed in the available references. Users of uBidAuction 2.0.1 are advised to apply input validation and output encoding for those parameters, or disable the vulnerable filter functionality until a vendor-supplied update is available [2][4].