Open ISES Tickets versions prior to 3.44.2 contain a reflected cross‑site scripting flaw located in icons/buttons/landb.php. The vulnerability arises when an attacker sends unsanitized values for the frm_name and frm_id POST parameters, causing the application to embed the supplied data directly into the response HTML and inline JavaScript. Because the flaw is client‑side, it lets an authenticated user inject malicious scripts that run in the context of the victim's web session, potentially enabling cookie theft, session hijacking, in‑page defacement, or other client‑side compromise. The weakness is a classic reflected XSS, identified as CWE‑79.

The affected product is Open ISES Tickets. All releases before version 3.44.2 are vulnerable; no specific build numbers are listed, so any edition of the application that has not yet been upgraded to 3.44.2 or later is at risk.

The CVSS score is 5.1, indicating a medium severity vulnerability. No EPSS score is available, and the weakness is not listed in CISA's KEV catalog, suggesting it is not known to be actively exploited in the wild. Exploitation requires the attacker to be authenticated to the application and to issue a crafted POST request to icons/buttons/landb.php. The risk is concentrated in the victim’s browser, but the impact can be significant for users with privileged sessions. Prompt patching is advised given the availability of an official fix and the moderate score.