Description
Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Published: 2026-05-21
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the rm/incs/mobile_login.inc.php of Open ISES Tickets, where during the mobile (RouteMate) login flow outbound HTTPS requests are issued with TLS certificate verification disabled by setting CURLOPT_SSL_VERIFYPEER to false and omitting CURLOPT_SSL_VERIFYHOST. This allows an attacker positioned on the network path between the server and the remote endpoint to present a forged certificate, intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. The vulnerability class corresponds to CWE-295, a denial of proper TLS validation, which can lead to credential compromise and further escalation.

Affected Systems

Vulnerable installations are those running any Open ISES Tickets release prior to version 3.44.2. No specific patch revisions are listed, but the problem exists until the latest release where TLS verification is correctly enabled.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is considered high severity. The EPSS score is < 1%, and the issue is not listed in the CISA KEV catalog, indicating that no publicly known exploitation campaigns have yet been reported. The attack vector is inferred as a network-based MitM: an adversary on the path between the server and the external endpoint can supply a malicious certificate. The absence of certificate verification creates a clear avenue for interception or tampering of login traffic, making the vulnerability exploitable under realistic network conditions.

Generated by OpenCVE AI on May 26, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open ISES Tickets version 3.44.2 or later, which restores proper SSL verification.
  • If an upgrade cannot be applied immediately, disable the mobile (RouteMate) login flow or block outbound requests from it until the patch is applied.
  • Patch the code by setting CURLOPT_SSL_VERIFYPEER to true and CURLOPT_SSL_VERIFYHOST to 2 for all outbound HTTPS calls in rm/incs/mobile_login.inc.php.

Generated by OpenCVE AI on May 26, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.

Fri, 22 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Openises
Openises tickets
Vendors & Products Openises
Openises tickets

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Title Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in rm/incs/mobile_login.inc.php
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openises Tickets
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:52:20.501Z

Reserved: 2026-05-21T13:15:18.102Z

Link: CVE-2026-48249

cve-icon Vulnrichment

Updated: 2026-05-21T18:15:16.923Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:22.167

Modified: 2026-05-26T14:16:39.387

Link: CVE-2026-48249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:15:08Z

Weaknesses