The vulnerability exists in the patient_JF.php file of Open ISES Tickets and allows an attacker to embed arbitrary JavaScript into a web page by supplying an unsanitized value through the ticket_id GET parameter. Because the value is assigned to a JavaScript variable without validation, a malicious payload can be executed in the victim’s browser when the crafted URL is visited. This is a classic Reflected Cross‑Site Scripting flaw (CWE‑79) that can lead to session hijacking, defacement, or other client‑side compromise for authenticated users.

Open ISES Tickets versions older than 3.44.2 are affected. The affected product is the Open ISES Tickets web application, released by openises, with the vulnerability present in all builds prior to the 3.44.2 update. No other versions or sub‑products are currently listed as impacted.

The CVSS score of 5.1 reflects a moderate risk that requires the attacker to be an authenticated user, indicating that unauthorized users cannot trigger the flaw. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to obtain valid credentials to an instance of the application and then craft a URL containing a JavaScript payload in the ticket_id parameter; when the victim visits the URL, the payload would execute in their browser, potentially compromising the session. Because the exploit needs authentication and the risk relies on client‑side execution, the overall threat level is moderate but still warrants timely remediation.