Open ISES Tickets versions prior to 3.44.2 contain a reflected cross‑site scripting flaw in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by supplying unsanitized values for the id and ticket_id GET parameters. The unsanitized input is concatenated into an HTML form action URL, so a malicious request can execute the payload in the victim’s browser when the response is rendered. This attack allows the attacker to execute arbitrary client‑side code in the context of the victim’s session, potentially leading to credential theft, session hijacking, or other client‑side compromises.

The vulnerability affects the Open ISES:Tickets application. All releases of Open ISES Tickets before version 3.44.2 are impacted; upgrading to 3.44.2 or a later release is required to remediate the flaw.

The CVSS score of 5.1 indicates moderate severity. The flaw requires the attacker to be an authenticated user of the application, and the exploit involves injecting malicious JavaScript into the unsanitized id and ticket_id GET parameters of patient_w.php, which are then reflected into a form action URL. If the victim opens a crafted URL while logged into the application, the script runs in the context of their session, giving the attacker the ability to run arbitrary client‑side code. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that there is no evidence of widespread or actively exploited instances to date.