PatchSiren

PatchSiren cyber security CVE debrief

CVE-2022-50967 Apphp CVE debrief

CVE-2022-50967 describes a reflected cross-site scripting issue in uBidAuction 2.0.1. The vulnerable behavior is in the tickets/manage module, where the date_created, date_from, date_to, and created_at filter parameters are not properly sanitized. As a result, a remote attacker can send a crafted GET request that causes attacker-controlled script to execute in a victim's browser. The supplied record rates the issue CVSS 5.1 (Medium) and maps it to CWE-79. Timing note: the CVE/NVD record in the supplied corpus is dated 2026-05-10; that is record timing, not necessarily the original vulnerability introduction or disclosure date.

Vendor
Apphp
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

Administrators and developers using uBidAuction 2.0.1, especially deployments that expose the tickets/manage interface to authenticated users or public traffic. Security teams should also care if the application is embedded in a broader workflow where a successful reflected XSS could expose session data, perform actions on behalf of a user, or enable phishing inside trusted browser sessions.

Technical summary

The issue is a reflected XSS in the tickets/manage filter functionality. The affected inputs named date_created, date_from, date_to, and created_at are not adequately sanitized before being reflected into the response. Because the vector is remote and user interaction is required, an attacker must get a victim to open a crafted URL or request that reaches the vulnerable endpoint. The NVD metadata supplied with the record identifies the weakness as CWE-79 and shows a network-based, low-complexity attack with user interaction required.

Defensive priority

Medium. This is not a known wormable or unauthenticated server compromise issue, but reflected XSS on a management interface can still be high-impact in real deployments because it targets browser sessions and trusted users. Remediation should be prioritized for any internet-exposed or user-facing installation of uBidAuction 2.0.1.

Recommended defensive actions

  • Identify any deployments of uBidAuction 2.0.1 and inventory exposure of the tickets/manage module.
  • Apply the vendor fix or upgrade to a version that addresses the reflected XSS, if available from the product vendor.
  • Sanitize and encode all reflected parameters, especially date_created, date_from, date_to, and created_at, before rendering them in HTML responses.
  • Add server-side validation for expected date formats and reject unexpected values rather than reflecting them back to the client.
  • Review whether the tickets/manage endpoint is reachable by untrusted users and restrict access where possible.
  • Use browser-side and application-layer protections such as a restrictive Content Security Policy to reduce XSS impact.
  • Monitor logs for suspicious requests containing script-like payloads in the affected parameters.
  • Re-test the endpoint after remediation to confirm the response no longer reflects unsafely encoded input.

Evidence notes

Supported by the CVE description in the supplied corpus, which explicitly states a reflected XSS in uBidAuction 2.0.1's tickets/manage module and names the affected parameters. NVD metadata in the source item assigns CWE-79 and a medium-severity CVSS score of 5.1. The supplied record also includes references to the Apphp product page, VulnCheck advisory, Exploit-DB entry, and Vulnerability-Lab report, but this debrief does not rely on their contents beyond their presence in the metadata.

Official resources

Publicly recorded in the CVE/NVD ecosystem on 2026-05-10 in the supplied corpus, with additional third-party references listed by NVD. This debrief intentionally avoids exploit reproduction details and uses only the supplied metadata and CV