Description
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-01-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via the TicketID parameter in LigeroSmart's AgentTicketZoom endpoint
Action: Mitigate
AI Analysis

Impact

A flaw in LigeroSmart allows attackers to manipulate the TicketID argument at /otrs/index.pl?Action=AgentTicketZoom, injecting arbitrary client‑side scripts. This results in cross‑site scripting (CWE‑79) and code execution of potential malicious payloads (CWE‑94). Attackers can embed JavaScript that executes in the browsers of any user who views the crafted URL, enabling session hijacking, credential theft, or page tampering. The vulnerability is triggered remotely by sending a specially crafted web request, a conclusion inferred from the description that the exploit works via the TicketID parameter.

Affected Systems

LigeroSmart installations running version 6.1.26 or earlier are affected. No newer releases have been reported as vulnerable and the vendor has yet to issue a fix or update.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as medium severity. Coupled with an EPSS score of less than 1 % and absence from the CISA KEV catalog, the current risk is relatively low, yet the publicly available exploit means any user who visits the malicious link could be compromised. The attack vector is a remote HTTP request to the web application, inferred from the description that the flaw is triggered via a crafted URL.

Generated by OpenCVE AI on April 18, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate and sanitize the TicketID input on the server side, removing or encoding any script tags or malicious characters.
  • Restrict access to the AgentTicketZoom action through role‑based access controls so only authorized users can invoke it.
  • Deploy a web‑application firewall rule that blocks URLs containing suspicious script payloads.
  • Keep the LigeroSmart platform up to date and monitor for a vendor‑issued patch that addresses the XSS flaw.

Generated by OpenCVE AI on April 18, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ligerosmart:ligerosmart:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ligerosmart
Ligerosmart ligerosmart
Vendors & Products Ligerosmart
Ligerosmart ligerosmart

Sat, 17 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title LigeroSmart index.pl cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ligerosmart Ligerosmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-26T15:57:18.484Z

Reserved: 2026-01-16T16:38:45.229Z

Link: CVE-2026-1048

cve-icon Vulnrichment

Updated: 2026-01-20T21:32:07.009Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-17T17:15:48.863

Modified: 2026-02-27T03:52:11.113

Link: CVE-2026-1048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses