Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in uBidAuction’s tickets/manage module. Parameters used by the filter interface – date_created, date_from, date_to and created_at – are not sanitized, enabling an attacker to embed JavaScript via crafted GET requests. When a victim clicks the malicious link, the script runs in their browser, potentially stealing credentials or performing phishing attacks.

Affected Systems

Vendor uBidAuction, product uBidAuction 2.0.1. The vulnerability affects installations of this exact version that have the tickets/manage module enabled. No other versions or vendors are listed.

Risk and Exploitability

The flaw carries a CVSS score of 5.1, indicating moderate impact. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting it has not yet been widely exploited. Attackers would rely on social engineering to persuade a victim to open the crafted URL, so exploitation is limited to contexts where users visit attacker‑controlled links. However, once executed the script could perform session hijacking or other client‑side attacks.

Generated by OpenCVE AI on May 10, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the installation to the latest uBidAuction release that includes a fix for the tickets/manage XSS flaw.
  • If an update is not yet available, sanitize the date_* parameters in the filter endpoint or implement server‑side validation to strip or encode scripting characters.
  • Add output encoding to any reflected parameters in the tickets/manage response to ensure user‑supplied data is treated as plain text.

Generated by OpenCVE AI on May 10, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubidauction
Ubidauction ubidauction
Vendors & Products Ubidauction
Ubidauction ubidauction

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Title uBidAuction 2.0.1 tickets manage Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ubidauction Ubidauction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T14:48:11.361Z

Reserved: 2026-01-11T13:34:26.333Z

Link: CVE-2022-50967

cve-icon Vulnrichment

Updated: 2026-05-11T14:48:07.854Z

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:34.610

Modified: 2026-05-10T13:16:34.610

Link: CVE-2022-50967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:44Z

Weaknesses