Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

uBidAuction 2.0.1 contains a reflected XSS flaw caused by the lack of proper sanitization of date_created, date_from, date_to, and created_at parameters in the auctions/myAuctions/status/active module. An attacker can inject crafted scripts into a GET request that are reflected back in the page. In a victim’s browser the script runs under the site’s origin, potentially stealing session cookies, defacing the site, or redirecting the user to phishing sites. This flaw does not provide direct code execution on the server, but it allows attackers to tamper with user sessions and data in the browser.

Affected Systems

The vulnerability affects the uBidAuction web application version 2.0.1. No other versions or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium level of severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote; any user who follows a crafted link to the auctions/myAuctions/status/active endpoint can trigger the script. Because the flaw is reflected and does not require authentication, a wide range of users could be affected. The impact is limited to the victim’s browser session and does not compromise the server itself.

Generated by OpenCVE AI on May 10, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uBidAuction to the latest version where input validation for the date parameters has been implemented.
  • If an upgrade is not possible, modify the code to sanitise or encode the date_created, date_from, date_to, and created_at values before rendering them in any response.
  • Deploy a strict Content Security Policy that restricts script execution to trusted sources and prevents inline script execution.

Generated by OpenCVE AI on May 10, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubidauction
Ubidauction ubidauction
Vendors & Products Ubidauction
Ubidauction ubidauction

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Title uBidAuction 2.0.1 myAuctions active Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ubidauction Ubidauction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:56.592Z

Reserved: 2026-01-11T13:34:26.333Z

Link: CVE-2022-50963

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:34.090

Modified: 2026-05-10T13:16:34.090

Link: CVE-2022-50963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:49Z

Weaknesses