Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the ics213.php component. It allows an attacker who already has authenticated access to the application to supply an unfiltered value in the frm_add_str POST parameter. When the response is rendered, the unsanitized input is inserted directly into an HTML form hidden input attribute, causing any embedded JavaScript to execute in the victim’s browser.

Affected Systems

Affected are all instances of Open ISES Tickets running any version earlier than 3.44.2. The vulnerability has been addressed in the 3.44.2 release, as noted in the project’s GitHub tags and commit history.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity; the EPSS score is not available and the issue is not listed in CISA KEV, implying no widespread exploitation. Since exploitation requires an authenticated session, the risk is limited to users with legitimate access credentials. Organizations should treat this as an internal threat that can lead to session hijacking, phishing, or data leakage if an attacker can inject malicious scripts into users’ browsers.

Generated by OpenCVE AI on May 21, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later, using the official GitHub release.
  • As a temporary mitigation, limit access to the ics213.php interface or remove the frm_add_str parameter from usage, ensuring any input is properly sanitized before rendering.
  • Deploy a Web Application Firewall to detect and block XSS payloads in POST requests to ics213.php.

Generated by OpenCVE AI on May 21, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via ics213.php frm_add_str Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:51:52.886Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48222

cve-icon Vulnrichment

Updated: 2026-05-21T17:51:50.018Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:18.613

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:00:14Z

Weaknesses