A reflected cross‑site scripting vulnerability exists in the add_nm.php script of Open ISES Tickets. The flaw allows an attacker who is authenticated to pass an unsanitized value through the ticket_id POST parameter, which is then reflected directly into both an HTML form input value attribute and an inline JavaScript string. When the attacker’s crafted request is rendered by the victim’s browser, the embedded JavaScript executes in the victim’s context. This can lead to theft of session cookies, execution of arbitrary code in the user’s browser, or other malicious actions confined to the victim’s session.

Open ISES Tickets versions before 3.44.2. The affected component is the add_nm.php endpoint that processes ticket creation or modification requests. All deployments of Open ISES Tickets older than 3.44.2 are potentially exposed if users can authenticate and submit ticket_id values.

The vulnerability has a CVSS score of 5.1, indicating moderate severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker first authenticates to the system, after which they can send a malicious POST request containing a crafted ticket_id. While the attack surface is limited to authenticated users, the impact on a compromised account can be significant for that user’s session. The overall risk is moderate to high for environments where privileged users are exposed to potential XSS payloads.