Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim's browser when the URL is visited.
Published: 2026-05-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 contains a reflected cross‑site scripting flaw in street_view.php that allows an authenticated attacker to inject arbitrary JavaScript via the unsanitized GET parameters thelat and thelng. When a victim visits a crafted URL, the payload is executed in the victim’s browser, enabling malicious actions such as defacement, cookie theft, or credential compromise.

Affected Systems

All installations of Open ISES Tickets with versions older than 3.44.2 are affected. The ticketing system is identified by the product name tickets from the vendor openises.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Exploitability requires an attacker to be authenticated to the system, but a successful exploit can be triggered simply by convincing the victim to open a malicious link. Because the EPSS is not available and the vulnerability is not listed in the KEV catalog, the likelihood of widespread exploitation is uncertain, yet the potential impact on user session integrity and data confidentiality warrants prompt attention.

Generated by OpenCVE AI on May 20, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later to remove the reflected XSS issue.
  • As an interim measure, configure the web server or application firewall to block or strip thelat and thelng query parameters from street_view.php if a legitimate use case is not required.
  • Implement server‑side validation to ensure that thelat and thelng contain only numeric latitude and longitude values, and escape any output that incorporates these parameters before sending it to the browser.

Generated by OpenCVE AI on May 20, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim's browser when the URL is visited.
Title Open ISES Tickets < 3.44.2 Reflected XSS via street_view.php thelat and thelng Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-20T19:39:06.425Z

Reserved: 2026-03-31T20:40:15.618Z

Link: CVE-2026-35013

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:38.640

Modified: 2026-05-20T20:16:38.640

Link: CVE-2026-35013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:30:36Z

Weaknesses