Description
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Published: 2026-05-21
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open ISES Tickets contains a SQL injection flaw in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into SQL WHERE clauses without sanitization. This flaw allows an authenticated attacker to manipulate the query to read, modify, or delete database contents, thereby compromising confidentiality, integrity, and availability of the ticket data.

Affected Systems

The vulnerability affects Open ISES Tickets versions prior to 3.44.2. All installations using these versions are potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, but the EPSS score is not available and the flaw is not listed in the CISA KEV catalog. Exploitation requires valid user credentials; an attacker must be authenticated to the application to send crafted POST requests to the statistics endpoint. Once authenticated, the attacker can read or alter ticket data, or delete records, leading to significant data loss and potential regulatory impact.

Generated by OpenCVE AI on May 21, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • If an upgrade is not possible, limit access to ajax/statistics.php to users with minimal privileges or temporarily disable the endpoint if it is not required.
  • Validate and sanitize the tick_id and f_tick_id POST parameters to ensure they contain only expected numeric values before using them in SQL queries.
  • Deploy a Web Application Firewall rule to detect and block SQL injection attempts targeting ajax/statistics.php.

Generated by OpenCVE AI on May 21, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
Title Open ISES Tickets < 3.44.2 SQL Injection via ajax/statistics.php tick_id and f_tick_id Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T17:57:46.749Z

Reserved: 2026-05-21T13:15:18.101Z

Link: CVE-2026-48240

cve-icon Vulnrichment

Updated: 2026-05-21T17:57:38.634Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:20.943

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses