The vulnerability resides in the ticketsmdb_import.php component of Open ISES Tickets versions earlier than 3.44.2. It allows an authenticated attacker to supply values for a range of POST parameters—such as mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, and ticketsprefix—which are then inserted directly into the value attributes of hidden input elements in the resulting HTML. Because these values are not sanitized, an attacker can embed arbitrary JavaScript that will execute when the response is rendered in a victim’s browser, enabling the attacker to execute code in the victim's session or capture sensitive information, thereby compromising the confidentiality and integrity of the user’s data and potentially their session. The weakness is classified as a reflected cross‑site scripting flaw (CWE‑79).

Open ISES:Tickets deployments running any version prior to 3.44.2 are impacted. No explicit sub‑versions are listed, so all releases below the highlighted 3.44.2 patch remain vulnerable.

The CVSS score of 5.1 indicates moderate severity. The EPSS metric is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to access ticketsmdb_import.php, implying that compromised user credentials or insider access are prerequisite. Once authenticated, an attacker can simply craft a malicious POST request with a JavaScript payload that, when processed, will be reflected into hidden form fields and executed in the context of any user who subsequently views the imported ticket data. Given the moderate CVSS score and absence of publicly documented exploits, the risk is present but not exceptionally high; however, the impact of successful exploitation can be significant to users within the affected system.