Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.
Published: 2026-05-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw located in add_note.php of Open ISES Tickets versions prior to 3.44.2. An authenticated attacker can supply a malicious JavaScript payload via the ticket_id query string; the application inserts this unsanitized value directly into a hidden input field’s VALUE attribute, causing the script to execute in the browser of any user who opens the crafted URL. Consequently the attacker may run arbitrary code in the victim’s context, hijack sessions, deface the interface, or exfiltrate sensitive data.

Affected Systems

All installations of Open ISES Tickets running any version older than 3.44.2 are affected. The CNA vendor identifies openises:tickets, and the flaw is present in every build before the 3.44.2 release, which contains the patch that eliminates the unsanitized transfer of ticket_id to the hidden input field.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Exploitation requires authentication, so the attack vector is not purely remote. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The likely attack path involves an attacker with legitimate credentials crafting a malicious ticket_id URL and convincing target users to visit it, thereby executing injected JavaScript in their browsers.

Generated by OpenCVE AI on May 20, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to v3.44.2 or later to apply the vendor‑supplied fix.
  • If upgrading immediately is not feasible, restrict or remove access to add_note.php for users lacking note‑adding privileges to prevent authenticated access to the vulnerable endpoint.
  • Implement input validation or a Web Application Firewall rule that blocks or sanitizes JavaScript code in the ticket_id parameter, preventing the payload from reaching the hidden input field.

Generated by OpenCVE AI on May 20, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited.
Title Open ISES Tickets < 3.44.2 Reflected XSS via add_note.php ticket_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T19:36:05.617Z

Reserved: 2026-03-31T20:40:15.617Z

Link: CVE-2026-35009

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:38.063

Modified: 2026-05-20T20:16:38.063

Link: CVE-2026-35009

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:30:36Z

Weaknesses