Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets before version 3.44.2 contains a reflected cross‑site scripting flaw. An authenticated attacker can supply an arbitrary JavaScript payload in the ticket_id GET parameter that is inserted unescaped into a hidden input field and executed when a victim’s browser loads the page. This enables the attacker to steal session cookies, hijack user accounts, or inject malicious content into the user’s session.

Affected Systems

The vulnerability affects all installations of Open ISES:Tickets with a version less than 3.44.2. No specific sub‑version list is provided beyond the cutoff at 3.44.2.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. The attack requires that the attacker be authenticated to the application; once authenticated, the attacker can craft a malicious request that forces the victim’s browser to execute payloads on any page that includes the ticket_id parameter. The combination of authentication, lack of input sanitization, and browser execution results in a moderate to high risk within the compromised environment.

Generated by OpenCVE AI on May 21, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later to apply the vendor‑fixed patch.
  • Modify the ticket_id handler to encode or otherwise sanitize the value before inserting it into any HTML attribute or content.
  • Deploy a web application firewall rule or server‑side filter that blocks or escapes typical XSS payloads on the routes_i.php endpoint.

Generated by OpenCVE AI on May 21, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
Title Open ISES Tickets < 3.44.2 Reflected XSS via routes_i.php ticket_id Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T18:01:33.016Z

Reserved: 2026-05-21T13:15:18.100Z

Link: CVE-2026-48229

cve-icon Vulnrichment

Updated: 2026-05-21T18:01:26.380Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:19.507

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:30:16Z

Weaknesses