Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

uBidAuction 2.0.1 contains a reflected cross‑site scripting flaw in its posts/manage module. The date_created, date_from, date_to, and created_at GET parameters are not properly escaped, allowing an attacker to embed arbitrary JavaScript that runs in the victim’s browser when the crafted URL is opened. This client‑side code can steal session cookies, perform credential theft, deface pages, or drive phishing attacks, thereby compromising confidentiality and integrity of the affected website’s users.

Affected Systems

The vulnerability affects the uBidAuction application version 2.0.1. No other versions or components are explicitly listed, and the vendor product is identified simply as uBidAuction.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the medium severity range. Because exploitation requires only a crafted GET request and a victim’s browser to follow the link, the potential attack vector is remote and does not demand user authentication. EPSS data is unavailable, but the lack of inclusion in the KEV catalog suggests no widespread public exploitation has been reported. The risk is therefore moderately high for sites that expose the posts/manage module to untrusted users or who rely on the vulnerability to persist malicious code on the front end.

Generated by OpenCVE AI on May 10, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uBidAuction to a version that fixes the XSS vulnerability.
  • If an upgrade is not currently possible, apply a server‑side input sanitization routine to the date_created, date_from, date_to, and created_at parameters in the posts/manage module.
  • Restrict or disable access to the posts/manage module for unauthenticated or untrusted users, or implement web‑application firewall rules to block suspicious GET requests containing script payloads.

Generated by OpenCVE AI on May 10, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubidauction
Ubidauction ubidauction
Vendors & Products Ubidauction
Ubidauction ubidauction

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Title uBidAuction 2.0.1 posts manage Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ubidauction Ubidauction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:58.066Z

Reserved: 2026-01-11T13:34:26.333Z

Link: CVE-2022-50965

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:34.357

Modified: 2026-05-10T13:16:34.357

Link: CVE-2022-50965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:46Z

Weaknesses