Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Open ISES:Tickets allows an authenticated user to send a crafted POST request to ics214.php that includes an unsanitized frm_add_str value. The value is reflected directly into a hidden input field in the HTML response, causing any JavaScript contained in the parameter to execute in the victim’s browser when the form is rendered. This can lead to session hijacking, phishing, or arbitrary code execution within the user’s environment.

Affected Systems

All installations of Open ISES:Tickets older than version 3.44.2 are affected. The vendor’s release notes for v3.44.2 indicate that the flaw has been fixed. No other product versions are mentioned as affected in the advisory.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the moderate risk range, and exploitation requires authentication, which narrows the threat surface. Because no EPSS score is available and the vulnerability is not listed in the KEV catalog, there are no known public exploitation incidents to date. Nonetheless, the ability to run arbitrary JavaScript in users’ browsers remains a real concern for sites with active user interactions and should be addressed promptly.

Generated by OpenCVE AI on May 21, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES:Tickets to version 3.44.2 or later, which removes the unsanitized frm_add_str handling.
  • Implement proper input sanitization or HTML escaping for the frm_add_str parameter so that any injected scripts are neutralized before rendering.
  • Configure access controls to limit submissions to ics214.php to trusted, authenticated requests, and consider disabling or removing the endpoint if it is not required.

Generated by OpenCVE AI on May 21, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Openises
Openises tickets
Vendors & Products Openises
Openises tickets

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via ics214.php frm_add_str Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Openises Tickets
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T02:20:45.255Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48224

cve-icon Vulnrichment

Updated: 2026-05-23T02:20:40.832Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:18.870

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:30:27Z

Weaknesses