Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

uBidAuction 2.0.1 includes a reflected cross‑site scripting flaw in the orders/myOrders module. Malicious script code can be injected through the date_created, date_from, date_to, and created_at GET parameters because the application fails to sanitize user input. When a victim clicks or visits a crafted URL, the malicious JavaScript runs in the victim’s browser, potentially allowing the attacker to steal cookies, session tokens, or perform client‑side malicious actions.

Affected Systems

The vulnerable product is uBidAuction 2.0.1, a PHP‑based auction platform. No other vendors or product versions are listed as affected. The flaw exists in the orders/myOrders module and specifically in the filter functionality exposed to remote users.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not provided, and the vulnerability is not listed in CISA KEV, suggesting no known widespread exploitation. The attack vector is likely remote through crafted GET requests, and the vulnerability requires only the victim to visit a URL; therefore, propagation is limited to social engineering or malformed links. The lack of a readily available official fix means that the risk remains until a patch or mitigated configuration is applied.

Generated by OpenCVE AI on May 10, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a later version that removes the unsanitized parameters in the orders/myOrders module.
  • Configure the web application firewall or URL filter to block known script payload patterns such as <script> tags or JavaScript event handlers in GET requests for date_created, date_from, date_to, and created_at parameters.
  • Sanitize the input parameters in the orders/myOrders module by escaping or validating them on the server side, ensuring that only acceptable date formats reach the business logic.

Generated by OpenCVE AI on May 10, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubidauction
Ubidauction ubidauction
Vendors & Products Ubidauction
Ubidauction ubidauction

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Title uBidAuction 2.0.1 myOrders Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ubidauction Ubidauction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T15:11:31.514Z

Reserved: 2026-01-11T13:34:26.333Z

Link: CVE-2022-50962

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.953

Modified: 2026-05-10T13:16:33.953

Link: CVE-2022-50962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:50Z

Weaknesses