Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 contains a reflected cross‑site scripting flaw in the ics213rr.php script. When an authenticated user sends a POST request with the frm_add_str parameter, the value is inserted unsanitized into a hidden input field’s value attribute. Because the parameter value is reflected in the HTML of the response, an attacker can embed arbitrary JavaScript that executes in the victim’s browser when the page is rendered. The flaw requires authentication but does not specify any further privileges.

Affected Systems

Open ISES:Tickets versions prior to 3.44.2 are affected.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate level of risk. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The flaw is limited to authenticated sessions, so the attack surface is restricted to users with valid credentials; however, once authenticated, an attacker can send malicious POST requests to inject JavaScript. The impact is limited to the victim’s browser session during rendering of the response.

Generated by OpenCVE AI on May 21, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES:Tickets to version 3.44.2 or later, which resolves the reflected XSS flaw in ics213rr.php (CWE-79).
  • Implement input validation and output encoding for the frm_add_str POST parameter to escape or strip JavaScript, directly addressing the XSS weakness (CWE-79).
  • Restrict access to the ics213rr.php endpoint to trusted roles only, or disable it if not needed.
  • Deploy a web application firewall rule to block or sanitize JavaScript payloads in POST parameters, specifically targeting the frm_add_str field.

Generated by OpenCVE AI on May 21, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via ics213rr.php frm_add_str Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:54:42.656Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48223

cve-icon Vulnrichment

Updated: 2026-05-21T17:54:39.167Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:18.740

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T20:00:16Z

Weaknesses