Description
uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

uBidAuction 2.0.1 contains a reflected cross‑site scripting flaw in the backend/mailingLog/manage module. The date_created, date_from, date_to and created_at parameters in the filtering form are not properly sanitized, allowing an attacker to inject arbitrary JavaScript through a crafted GET request. When a victim visits the resulting URL, the injected script executes in the context of the site, potentially enabling session hijacking, phishing or defacement. This vulnerability corresponds to CWE‑79.

Affected Systems

The affected product is uBidAuction, version 2.0.1. The vulnerability is present in the backend/mailingLog/manage module of the application.

Risk and Exploitability

The vulnerability has a CVSS score of 5.1, which indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by directing a victim to a maliciously crafted URL that contains the unsanitized parameters. Successful exploitation would result in arbitrary script execution within the victim’s browser, compromising confidentiality, integrity and potentially availability of the application.

Generated by OpenCVE AI on May 10, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a uBidAuction release that removes the unsanitized date_* and created_at parameters from the mailingLog/manage module.
  • If an upgrade is unavailable, implement server‑side input validation or sanitization for the date_created, date_from, date_to and created_at parameters to prevent injection of executable scripts.
  • Deploy a web application firewall or similar filtering mechanism to block requests containing script payloads, and enforce a Content Security Policy that disallows inline script execution.

Generated by OpenCVE AI on May 10, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ubidauction
Ubidauction ubidauction
Vendors & Products Ubidauction
Ubidauction ubidauction

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.
Title uBidAuction 2.0.1 mailingLog manage Reflected XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Ubidauction Ubidauction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:13:01.224Z

Reserved: 2026-01-11T13:34:26.334Z

Link: CVE-2022-50969

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:34.867

Modified: 2026-05-10T13:16:34.867

Link: CVE-2022-50969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:41Z

Weaknesses