CVE-2022-50968

Vulnerability

Overview uBidAuction 2.0.1 suffers from a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters used in the filter functionality are not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript into the response [4]. This occurs because user-supplied input is reflected back without proper encoding.

Exploitation

Details The vulnerability can be exploited by crafting a malicious GET request to the auctions/manage page. The attacker does not require authentication, as the XSS is reflected and can be triggered by luring a victim to click a specially crafted link [2]. Proof-of-concept exploits demonstrate injection of iframe elements and JavaScript event handlers (e.g., onload) to execute arbitrary code in the victim's browser [3].

Impact

Successful exploitation allows an attacker to execute scripts in the context of the victim's session. This can lead to session hijacking, defacement, or redirection to malicious sites [4]. The CVSS score of 6.1 reflects the medium severity due to the need for user interaction and the non-persistent nature.

Mitigation

Status The vulnerability was disclosed to the vendor in September 2021, and a fix was reportedly developed [2]. However, as of the published date of this CVE, the status of the patch in the latest version remains unclear. Users are advised to apply input validation and sanitization to the affected parameters or restrict access to the auctions/manage module until a verified patch is available.