The flaw is a rudimentary SQL injection located in the ajax/mobile_main.php script of Open ISES Tickets. The script concatenates the id GET parameter directly into a WHERE clause of a SELECT statement used to verify a ticket’s existence, with no sanitization or parameterization. If an attacker with valid authentication submits a crafted id value, the query can be altered to read, modify, or delete arbitrary database rows, compromising data confidentiality, integrity, and availability. This weakness is classified as CWE‑89, indicating improper handling of untrusted input in SQL statements.

This vulnerability afflicts all installations of Open ISES Tickets running any version older than 3.44.2. The affected product is the Open ISES Tickets application, which is a web‑based ticket management system. No specific operating systems are listed, so the vulnerability applies to any environment hosting the application.

The CVSS score of 7.1 places the issue in the high‑severity range, and the EPSS score is unavailable, so the current exploitation probability cannot be quantified. The vulnerability requires authentication, indicating that the attacker must first gain legitimate access, either by compromising a user account or exploiting another entry point. Once authenticated, the attacker can manipulate the id parameter and perform arbitrary database operations. The absence of a KEV listing suggests no widespread, publicly available exploits are yet documented, but the inherent danger of database compromise makes the risk significant for any deployment that stores sensitive ticket data.