Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 contains a reflected cross‑site scripting flaw in delete_module.php that lets attackers who are already authenticated inject arbitrary JavaScript by supplying unsanitized values for the POST parameters module_choice, flag and confirmation. The injected script is reflected back in the page’s HTML and form action attributes, enabling the attacker to execute code in the victim’s browser. This can lead to cookie theft, session hijacking, defacement or other client‑side compromise for any user who views the affected page.

Affected Systems

The vulnerability affects all releases of Open ISES Tickets older than 3.44.2, regardless of deployment platform. Users of the Open ISES:Tickets product running any pre‑3.44.2 version are exposed.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not available, so the likelihood of exploitation in the wild cannot be quantified but there is no evidence of widespread attacks. The flaw is not listed in CISA’s KEV catalog. Attackers must first authenticate to the web interface; once credentials are obtained or gained via social engineering, they can craft a malicious POST request to delete_module.php, which is both straightforward and does not require advanced privileges. The likely attack vector is a web‑based attack originating from a compromised user session.

Generated by OpenCVE AI on May 21, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later to remove the reflected XSS vector.
  • If an immediate upgrade is impossible, limit access to delete_module.php to trusted staff or block the vulnerable POST parameters using a web‑application firewall.
  • Implement input validation and output encoding for module_choice, flag and confirmation to prevent reflected XSS in future releases.

Generated by OpenCVE AI on May 21, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via delete_module.php Multiple POST Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:53:12.656Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48217

cve-icon Vulnrichment

Updated: 2026-05-21T17:53:06.882Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:17.983

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:30:16Z

Weaknesses