CVE-2022-50957

MEDIUM

Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-50957. PoCs published by Milad karimi.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in Drupal's avatar_uploader module by injecting a malicious script via the 'file' parameter in the URL. The PoC is straightforward and functional, requiring no authentication.

Description

Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers.

Exploits (1)

exploitdb WORKING POC
by Milad karimi · textwebappsphp
https://www.exploit-db.com/exploits/50841

The exploit demonstrates a reflected XSS vulnerability in Drupal's avatar_uploader module by injecting a malicious script via the 'file' parameter in the URL. The PoC is straightforward and functional, requiring no authentication.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Drupal avatar_uploader v7.x-1.0-beta8
No auth needed
Prerequisites: Access to the target URL with the vulnerable module installed
devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-50841
https://www.exploit-db.com/exploits/50841
Product product
Product Reference
https://www.drupal.org/project/avatar_uploader
Third Party Advisory third-party-advisory
VulnCheck Advisory: Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS
https://www.vulncheck.com/advisories/drupal-avatar-uploader-7-x-beta8-reflected-xss

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 15.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
avatar_uploader/avatar_uploader 7.0-1.0-beta8
avatar_uploader/avatar_uploader 7.x-1.0-beta8
avatar_uploader_project/avatar_uploader 7.x-1.0 beta8
Published May 10, 2026
Tracked Since May 10, 2026