CVE-2022-50963 Apphp CVE debrief

Who should care

Administrators, developers, and security teams running uBidAuction 2.0.1, especially deployments exposing the auctions/myAuctions/status/active endpoint or similar filter views to untrusted users.

Technical summary

The supplied record describes a reflected XSS weakness (CWE-79) in request handling for the active-auctions filter path. NVD metadata shows a CVSS v4 vector with network attack reachability and user interaction required, consistent with browser-side script execution when unsanitized query values are reflected into the response.

Defensive priority

Medium

Recommended defensive actions

• Treat the affected filter parameters as untrusted input and apply context-aware output encoding before rendering them.
• Add server-side validation or allowlisting for date_created, date_from, date_to, and created_at, and review adjacent parameters in the same module.
• Patch or upgrade uBidAuction once a fixed release is available from the vendor, and verify the fix against the official vendor page.
• Add a Content Security Policy and other browser-side hardening to reduce the impact of reflected script injection.
• Inspect logs and WAF telemetry for crafted requests to auctions/myAuctions/status/active and related GET-based filter endpoints.

Evidence notes

The CVE description states that uBidAuction 2.0.1 reflects unsanitized date_created, date_from, date_to, and created_at parameters in the auctions/myAuctions/status/active filter path, enabling remote script injection via crafted GET requests. The NVD source item lists CWE-79 and a CVSS v4 vector with network access and user interaction required, and the corpus links official CVE/NVD records plus vendor and third-party advisory references.

Official resources