PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-50964 Apphp CVE debrief

CVE-2022-50964 describes a reflected cross-site scripting issue in uBidAuction 2.0.1 affecting the auctions/myAuctions/status/loose module. The vulnerable filter parameters include date_created, date_from, date_to, and created_at, which are not properly sanitized and can be abused through crafted GET requests to run script in a victim's browser.

Vendor
Apphp
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

Organizations running uBidAuction 2.0.1, especially any deployment exposing the affected auctions/myAuctions/status/loose module to users. Security teams should care because the attack is network-based, requires no privileges, and can impact users directly through browser execution.

Technical summary

The supplied CVE and NVD metadata describe a reflected XSS (CWE-79) in the uBidAuction 2.0.1 filtering logic for auctions/myAuctions/status/loose. The affected request parameters are date_created, date_from, date_to, and created_at. NVD metadata indicates a network attack vector with no privileges required and user interaction required, matching a browser-mediated reflected payload scenario.

Defensive priority

Medium priority. The issue is exploitable remotely and can affect users in the browser, but it requires user interaction and is described as reflected XSS rather than direct server compromise. Remediation should be prioritized for any internet-facing or user-facing deployment of the affected module.

Recommended defensive actions

  • Confirm whether any deployed uBidAuction instance is running version 2.0.1 or a version that still contains the affected auctions/myAuctions/status/loose module.
  • Apply a vendor fix or upgrade to a version confirmed by the vendor to address the reflected XSS issue.
  • If immediate patching is not possible, restrict access to the affected page or module and reduce exposure to untrusted users.
  • Implement context-aware output encoding and server-side validation for the listed parameters: date_created, date_from, date_to, and created_at.
  • Review logs for crafted GET requests targeting the affected module and parameters.
  • Consider adding or tightening browser-side protections such as a restrictive Content Security Policy as a defense-in-depth measure.

Evidence notes

All substantive claims here are taken from the supplied CVE description and the NVD metadata in the source corpus. The CVE/NVD records identify the issue as reflected XSS (CWE-79) in uBidAuction 2.0.1, and the provided metadata includes the affected module and parameter names. Vendor attribution in the supplied record is marked low-confidence and needs review, so this debrief treats the product name as primary and the vendor label as uncertain. Reference URLs are included as evidence pointers only; their page contents were not assumed beyond what was present in the source corpus.

Official resources

The CVE and NVD records supplied in the corpus are dated 2026-05-10. The source metadata also lists related references to the vendor page, VulnCheck advisory, Exploit-DB, and Vulnerability-Lab, indicating public disclosure coverage for the