Open ISES Tickets versions before 3.44.2 contain a reflected cross‑site scripting flaw in the circle.php script. The vulnerability arises because the frm_id POST parameter is inserted into an HTML form input value attribute without sanitization. An attacker can send a crafted request containing a malicious JavaScript payload that is reflected in the response and executed within the victim’s browser context. The result is that the attacker can inject and run arbitrary client‑side code, potentially stealing session cookies, altering page content, or performing actions on behalf of the authenticated user.

The affected product is Open ISES Tickets for all versions older than 3.44.2. The vulnerability applies to any deployment of the Tickets application where the circle.php endpoint is reachable to authenticated users. No specific operating system or platform constraints are listed, implying that all users of these versions are potentially at risk.

The CVSS score of 5.1 indicates a medium severity reflecting that the vulnerability requires authenticated access and a symptom chosen by the attacker. The EPSS score is not available, so the immediate exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated against the application; the flaw is not exploitable by unauthenticated users. Even with authentication, execution is limited to the victim’s browser, thereby not compromising the server directly. Nevertheless, the ability to inject arbitrary JavaScript can lead to session hijacking, phishing, or data exfiltration within the affected user’s session.