Vulnerabilities ›

CVE-2022-50964

Medium

CWE-79 — Weakness Type

                    Published: May 10, 2026                      ·  Modified: May 13, 2026                      ·  Source: NVD                

CVSS v3

6.1

🔗 NVD Official

📄 Description (English)

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers.

🤖 AI Executive Summary

CVE-2022-50964 is a reflected XSS vulnerability in uBidAuction 2.0.1 affecting the auction filtering functionality. Attackers can inject malicious scripts through unsanitized date parameters (date_created, date_from, date_to, created_at) that execute in users' browsers. While no exploit is publicly available and CVSS is moderate (6.1), the vulnerability poses significant risk to organizations using this auction platform for procurement or e-commerce operations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 23, 2026 05:54

🇸🇦 Saudi Arabia Impact Assessment

Saudi government procurement entities (GAMPCO, ministry purchasing departments) and private sector organizations using uBidAuction for e-procurement are at risk. Banking sector exposure is moderate if used for auction-based financial services. Telecom and energy sectors using auction platforms for vendor management could be affected. The vulnerability enables credential theft, session hijacking, and malware distribution targeting procurement officers and decision-makers. Government entities under NCA oversight face compliance implications if user data is compromised through XSS attacks.

🏢 Affected Saudi Sectors

Government Procurement Banking Telecommunications Energy Healthcare Private Sector E-commerce

🎯 MITRE ATT&CK Techniques

T1598.003 - Phishing: Spearphishing Link (XSS payload delivery) T1566.002 - Phishing: Phishing - Spearphishing Link (via auction notifications) T1059.007 - Command and Scripting Interpreter: JavaScript (XSS execution) T1185 - Man in the Browser (session hijacking via XSS) T1056.004 - Input Capture: Credential API Hooking (credential theft via XSS)

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all instances of uBidAuction 2.0.1 in your environment and document their usage

2. Restrict access to the affected auction filtering functionality to trusted networks only

3. Implement Web Application Firewall (WAF) rules to block requests containing script tags in date parameters

4. Monitor access logs for suspicious patterns in date_created, date_from, date_to, and created_at parameters

Patching Guidance:

1. Contact uBidAuction vendor immediately for security patch availability

2. If no patch is available, consider upgrading to a newer version if available

3. Implement input validation on the server-side for all date parameters using whitelist approach (accept only valid date formats: YYYY-MM-DD)

4. Apply output encoding to all date parameters before rendering in HTML context

Compensating Controls:

1. Deploy Content Security Policy (CSP) headers to prevent inline script execution

2. Implement HTTPOnly and Secure flags on session cookies

3. Enable browser-based XSS protection headers (X-XSS-Protection, X-Content-Type-Options)

4. Conduct user awareness training on phishing and suspicious links from auction platforms

Detection Rules:

1. Alert on GET requests containing script tags, javascript:, or event handlers in date parameters

2. Monitor for unusual character encoding patterns (%3C, %3E, %27, %22) in filter parameters

3. Track failed authentication attempts following suspicious filter requests

4. Log and alert on any modifications to auction filtering functionality

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع نسخ uBidAuction 2.0.1 في بيئتك وقم بتوثيق استخدامها

2. قيد الوصول إلى وظيفة تصفية المزادات المتأثرة على الشبكات الموثوقة فقط

3. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على علامات نصية برمجية في معاملات التاريخ

4. راقب سجلات الوصول للأنماط المريبة في معاملات date_created و date_from و date_to و created_at

إرشادات التصحيح:

1. اتصل بمورد uBidAuction فوراً للحصول على تصحيح أمني

2. إذا لم يكن هناك تصحيح متاح، فكر في الترقية إلى نسخة أحدث إن أمكن

3. طبق التحقق من صحة المدخلات على جانب الخادم لجميع معاملات التاريخ باستخدام نهج القائمة البيضاء (قبول تنسيقات التاريخ الصحيحة فقط: YYYY-MM-DD)

4. طبق ترميز الإخراج على جميع معاملات التاريخ قبل العرض في سياق HTML

الضوابط البديلة:

1. نشر رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ النصوص البرمجية المضمنة

2. طبق أعلام HTTPOnly و Secure على ملفات تعريف الارتباط للجلسة

3. فعّل رؤوس حماية XSS المستندة إلى المتصفح (X-XSS-Protection و X-Content-Type-Options)

4. أجرِ تدريباً على الوعي الأمني للمستخدمين بشأن التصيد الاحتيالي والروابط المريبة من منصات المزادات

قواعد الكشف:

1. تنبيهات على طلبات GET تحتوي على علامات نصية برمجية أو javascript: أو معالجات أحداث في معاملات التاريخ

2. مراقبة أنماط ترميز الأحرف غير العادية (%3C و %3E و %27 و %22) في معاملات التصفية

3. تتبع محاولات المصادقة الفاشلة بعد طلبات التصفية المريبة

4. تسجيل والتنبيه على أي تعديلات على وظيفة تصفية المزادات

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 - Secure development policy (input validation and output encoding requirements) A.14.2.5 - Secure development environment (vulnerability management) A.12.6.1 - Management of technical vulnerabilities (patch management) A.12.3.1 - Event logging (detection of XSS attempts)

🔵 SAMA CSF

ID.GV-1 - Organizational cybersecurity policy and procedures PR.DS-6 - Data is protected from unauthorized access and disclosure PR.IP-1 - System development and acquisition processes DE.CM-1 - The network is monitored to detect potential cybersecurity events

🟡 ISO 27001:2022

A.8.2.3 - Segregation of duties (access control to procurement systems) A.12.2.1 - Inputs validation (CWE-79 mitigation) A.12.6.1 - Management of technical vulnerabilities A.13.1.3 - Segregation of information networks (network segmentation for procurement)

🟣 PCI DSS v4.0.1

6.5.1 - Injection flaws prevention (if payment data processed) 6.5.7 - Cross-site scripting (XSS) prevention 11.3 - Penetration testing and vulnerability scanning

🔗 References & Sources 4

🔗

https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script

disclosure@vulncheck.com

🔗

https://www.exploit-db.com/exploits/50693

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/ubidauction-myauctions-loose-reflected-xss

disclosure@vulncheck.com

🔗

https://www.vulnerability-lab.com/get_content.php?id=2289

disclosure@vulncheck.com

📊 CVSS Score

6.1

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.1

CWECWE-79

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-10

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2022-50964

Introduce Yourself

Sign In Required