Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets versions prior to 3.44.2 permit authenticated users to embed unsanitized input from the "id" and "ticket_id" GET parameters into an HTML form action. This flaw allows an attacker to inject JavaScript that executes in the victim’s browser when the page is rendered. The injected code runs with the privileges of the logged‑in user, enabling theft of session cookies, defacement of pages, or redirection to malicious sites.

Affected Systems

The vulnerability affects the Open ISES Tickets product. Any deployment of this software with a version earlier than 3.44.2 is susceptible. The vendor’s own release notes indicate that the patch was applied in the 3.44.2 release.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate, reflecting that exploitability requires authentication and that it is primarily an in‑browser attack. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting that it has not been widely exploited yet. An attacker would need to craft a malicious URL containing a JavaScript payload; if a legitimate user clicks or is tricked into visiting it, the script will run in the victim’s session. The lack of a public exploit does not preclude future abuse once the flaw is disclosed widely.

Generated by OpenCVE AI on May 21, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upgrade to Open ISES Tickets version 3.44.2 or later, which removes the reflected XSS bug.
  • If an upgrade is not immediately possible, implement input validation or sanitization on the "id" and "ticket_id" parameters before they are incorporated into HTML. Alternatively, change the form to use POST rather than embedding GET parameters in the action URL.
  • Review user roles and restrict access to the affected functionality so that only trusted accounts can use the parameters, thereby limiting the potential impact of any remaining flaw.

Generated by OpenCVE AI on May 21, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via patient.php id and ticket_id Parameters
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:55:21.905Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48227

cve-icon Vulnrichment

Updated: 2026-05-21T17:51:43.593Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:19.257

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:30:16Z

Weaknesses