CVE-2022-50969

CVE-2022-50969 is a reflected cross-site scripting (XSS) vulnerability in uBidAuction 2.0.1, specifically in the backend/mailingLog/manage module. The filter functionality fails to sanitize the date_created, date_from, date_to, and created_at GET parameters, allowing an attacker to inject arbitrary HTML and JavaScript [2][4].

An unauthenticated remote attacker can craft a malicious URL containing a payload in one of the vulnerable parameters. When a victim (e.g., an administrator) clicks the link, the injected script executes in the context of the application's backend. The Exploit-DB entry provides proof-of-concept URLs that demonstrate the injection using an iframe or alert [2][3].

Successful exploitation enables the attacker to perform actions within the victim's session, such as stealing cookies, defacing pages, or redirecting to malicious sites. Since the vulnerability resides in the backend, an administrator's session is particularly valuable, potentially leading to full compromise of the auction platform [2][4].

As of the advisory publication, the vendor was notified but no official patch has been confirmed. Users are advised to restrict access to the backend module, sanitize input manually, or consider upgrading if a fix becomes available. The vulnerability is listed in the Exploit Database and has a CVSS v3 score of 6.1 (Medium) [2][4].