Description
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. This manipulation of the argument Profile causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-02-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

An improper handling of the Profile query parameter in the /otrs/index.pl?Action=AgentTicketSearch endpoint of LigeroSmart allows an attacker to inject arbitrary JavaScript into the generated web page. This cross‑site scripting flaw enables a remotely triggered attack that can be executed by visiting a crafted link. Because the victim’s browser executes the payload, potential consequences include session hijacking, credential theft, or malicious interaction with the application. The flaw is classified as CWE‑79 and also involves CWE‑94 characteristics related to code injection through parameter manipulation.

Affected Systems

LigeroSmart products up to version 6.1.26 are affected. The vulnerability is present in all releases of version 6.1.26 and earlier.

Risk and Exploitability

The CVSS base score of 5.1 places the issue in the medium severity range. The EPSS score is lower than 1%, indicating a very low current exploitation possibility. The vulnerability is not listed in the CISA KEV catalog, so no confirmed attacks are reported. Attackers can trigger the flaw remotely by constructing a URL that includes a malicious value for the Profile parameter. Publicly available exploit code suggests that threat actors could deploy the attack once a fix is not applied.

Generated by OpenCVE AI on April 18, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LigeroSmart to a version that contains the XSS fix, if one is available.
  • Implement input validation or output encoding for the Profile query parameter to eliminate embedded JavaScript.
  • Deploy a Web Application Firewall rule to block or filter suspicious payloads targeting the AgentTicketSearch endpoint.

Generated by OpenCVE AI on April 18, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ligerosmart:ligerosmart:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ligerosmart
Ligerosmart ligerosmart
Vendors & Products Ligerosmart
Ligerosmart ligerosmart

Mon, 16 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. This manipulation of the argument Profile causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title LigeroSmart index.pl cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ligerosmart Ligerosmart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:07:15.711Z

Reserved: 2026-02-15T16:00:20.235Z

Link: CVE-2026-2545

cve-icon Vulnrichment

Updated: 2026-02-17T18:31:36.897Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T08:16:05.587

Modified: 2026-02-19T19:39:45.443

Link: CVE-2026-2545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses