The vulnerability is a reflected cross‑site scripting flaw located in add_note.php of Open ISES Tickets versions prior to 3.44.2. An authenticated attacker can supply a malicious JavaScript payload via the ticket_id query string; the application inserts this unsanitized value directly into a hidden input field’s VALUE attribute, causing the script to execute in the browser of any user who opens the crafted URL. Consequently the attacker may run arbitrary code in the victim’s context, hijack sessions, deface the interface, or exfiltrate sensitive data.

All installations of Open ISES Tickets running any version older than 3.44.2 are affected. The CNA vendor identifies openises:tickets, and the flaw is present in every build before the 3.44.2 release, which contains the patch that eliminates the unsanitized transfer of ticket_id to the hidden input field.

The CVSS score of 5.1 indicates moderate severity. Exploitation requires authentication, so the attack vector is not purely remote. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The likely attack path involves an attacker with legitimate credentials crafting a malicious ticket_id URL and convincing target users to visit it, thereby executing injected JavaScript in their browsers.