CVE-2022-50964

uBidAuction 2.0.1 myAuctions loose Reflected XSS

CVSS 5.1 MEDIUMEPSS 0.3%CWE-79

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products

uBidAuction · uBidAuction

public PoCs found — 2

cve_referencewww.exploit-db.com/exploits/50693unverified cve_referencewww.vulnerability-lab.com/get_content.php?id=2289unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script https://www.exploit-db.com/exploits/50693 https://www.vulncheck.com/advisories/ubidauction-myauctions-loose-reflected-xss https://www.vulnerability-lab.com/get_content.php?id=2289