PatchSiren cyber security CVE debrief
CVE-2022-50962 Apphp CVE debrief
CVE-2022-50962 is a reflected cross-site scripting (XSS) issue reported for uBidAuction 2.0.1 in the orders/myOrders module. The vulnerability is tied to filter parameters including date_created, date_from, date_to, and created_at, which are described as insufficiently sanitized and able to carry attacker-controlled script content in crafted GET requests. Because the issue is reflected and browser-triggered, the main risk is user-assisted execution in a victim’s session rather than direct server compromise.
- Vendor
- Apphp
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-10
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-05-10
- Advisory updated
- 2026-05-10
Who should care
Organizations running uBidAuction 2.0.1 or any deployment that exposes the orders/myOrders filtering functionality should treat this as relevant, especially if authenticated users access the affected interface. Security teams responsible for web application hardening, input validation, and frontend output encoding should also review it.
Technical summary
The supplied record and references describe a CWE-79 reflected XSS condition in the myOrders filter path. The named parameters are not properly sanitized before being reflected into the response, which can allow attacker-supplied JavaScript to execute in a victim browser when the crafted request is viewed. The available corpus does not include a fix version, patch identifier, or proof-of-concept details, so validation should focus on the affected endpoint and parameter handling behavior.
Defensive priority
Medium. The issue requires user interaction, but successful exploitation can impact session integrity and trust in the web application. Prioritize if the application is Internet-facing or used by authenticated staff, buyers, or administrators.
Recommended defensive actions
- Identify whether uBidAuction 2.0.1 is in use and whether the orders/myOrders filter endpoint is reachable from untrusted users.
- Review server-side input handling for date_created, date_from, date_to, and created_at to ensure untrusted input is rejected or encoded safely before being reflected.
- Apply context-appropriate output encoding for any parameter values rendered into HTML, attributes, or script-adjacent contexts.
- Use a web application firewall or reverse-proxy rule set as a compensating control while remediation is being validated.
- Validate that any vendor-provided update or hotfix removes the reflected XSS condition before returning the application to production.
- Monitor for anomalous requests to the affected module and for unusual browser-side behavior reported by users.
Evidence notes
The description in the supplied CVE record states that uBidAuction 2.0.1 contains a reflected XSS vulnerability in the orders/myOrders module, and that the date_created, date_from, date_to, and created_at parameters are not properly sanitized. The NVD-derived source metadata classifies the weakness as CWE-79 and cites third-party references that include the vendor product page, Exploit-DB, VulnCheck, and Vulnerability-Lab. The corpus does not provide a verified remediation version or a fully detailed vendor advisory.
Official resources
Public disclosure timing in the supplied record is tied to the CVE/NVD entry date of 2026-05-10T13:16:33.953Z. The corpus does not provide a separate vendor advisory date or an initial exploitation timeline beyond the listed references.