Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

uBidAuction 2.0.1 contains a reflected cross‑site scripting flaw that allows attackers to inject malicious JavaScript through the date_created, date_from, date_to, and created_at parameters in the news/manage filter. The vulnerable parameters are not properly sanitized, so a crafted GET request can cause arbitrary script execution in victims' browsers.

Affected Systems

The vulnerability affects the uBidAuction product, version 2.0.1. No other versions are listed as affected in the CNA data, and no official patch or upgrade path is provided.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate impact. EPSS is not available, and the flaw is not listed in CISA KEV, so exploitation likelihood is unclear. Attackers can exploit the weakness by creating a URL that includes malicious payloads in the mentioned parameters and delivering it to a victim; when the victim clicks the link, the script runs in their browser.

Generated by OpenCVE AI on May 10, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch or upgrade to a newer release once one becomes available.
  • Validate and sanitize the date_created, date_from, date_to, and created_at parameters in the news/manage filter to prevent script injection.
  • Implement a Content Security Policy that disallows inline scripts on the news/manage page.
  • Deploy a web application firewall or input filter to detect and block malicious query strings targeting the vulnerable parameters.

Generated by OpenCVE AI on May 10, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubidauction
Ubidauction ubidauction
Vendors & Products Ubidauction
Ubidauction ubidauction

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Title uBidAuction 2.0.1 news manage Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ubidauction Ubidauction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T13:24:09.762Z

Reserved: 2026-01-11T13:34:26.333Z

Link: CVE-2022-50966

cve-icon Vulnrichment

Updated: 2026-05-11T13:16:17.172Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:34.487

Modified: 2026-05-10T13:16:34.487

Link: CVE-2022-50966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:45Z

Weaknesses