The vulnerability resides in the single.php page of Open ISES Tickets and allows an authenticated attacker to insert JavaScript into the ticket_id GET parameter. Because the value is reflected into an HTML attribute without sanitization, any script passed in the id field will execute in the browser of any user who opens the malicious URL. This can lead to theft of session information, credential hijacking, or other actions that compromise the victim’s session within the application. The weakness is a classic reflected cross‑site scripting flaw (CWE‑79).

The affected product is Open ISES Tickets 3.44.1 and earlier versions released before 3.44.2. All deployments of the openises:tickets application running these pre‑3.44.2 releases are vulnerable. No information is provided about sub‑versions, so any release labeled earlier than 3.44.2 should be considered at risk.

The CVSS score of 5.1 positions this issue in the moderate severity range. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that it is not a known actively exploited vulnerability at the time of this analysis. The likely attack vector is a user following a crafted link containing a malicious JavaScript payload in the ticket_id parameter. Since the flaw requires an authenticated session to be exploited effectively, attackers must first log in to the system or gain credentials, which limits the attack surface compared to an unauthenticated XSS. Nonetheless, authenticated users can remain at risk if they click a link or open content from a compromised site that directs them to the vulnerable URL.