Open ISES Tickets before version 3.44.2 stores database credentials directly in the public‑facing loader.php file. These credentials include the username, password, and database name, allowing anyone who can read the file to obtain the full set of credentials needed to connect to the application’s MySQL database. The data exposed by these credentials constitutes a core authentication secret, and the ability to view them can directly lead to full compromise of the database content if the attacker can reach the backend server.

The vulnerability affects installations of Open ISES Tickets running any release prior to 3.44.2. The specific product impacted is the public administrative interface that includes loader.php. Version information for the affected releases is provided in the vendor announcements and the release history, with the patch deployed in v3.44.2.

The CVSS score of 9.2 reflects a high‑risk impact due to the level of access and credence. Because the credentials are in a publicly visible source file, an unauthenticated attacker can obtain them simply by downloading the source or requesting the file from a deployed instance. There is no requirement for additional privileges or system compromise beyond network reachability to the database. The vulnerability is listed as not in the CISA KEV catalog and EPSS data is not available but the severity suggests a high likelihood of exploitation in environments where the database is exposed or the file is accessible.