The vulnerability is a classic SQL injection flaw in the incs/remotes.inc.php file of Open ISES Tickets, where latitude, longitude, callsign, mph, altitude, and timestamp values extracted from XML/JSON responses of external GPS tracking services are concatenated directly into UPDATE and INSERT statements without any sanitization. This flaw allows an attacker who can control or spoof the GPS tracker endpoint to embed malicious SQL, enabling unauthorized modification of responder location, track, and assignment data. The resulting impact concerns data integrity and potentially administrative privilege escalation within the application.

Open ISES Tickets releases prior to version 3.44.2 are affected. The product vendor is Open ISES:Tickets. This includes all installations running any version older than 3.44.2, regardless of deployment model.

The CVSS score of 8.8 indicates high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires the attacker to compromise or impersonate the external GPS tracker service that feeds data into the application, a plausible scenario if the service is controlled by the same entity or can be spoofed over the network. Because the flaw is in server‑side code processing untrusted input, exploitation can be achieved via HTTP requests containing crafted GPS data, granting the attacker the ability to inject arbitrary SQL into the database and thereby tamper with critical operational data.