CVE-2026-48230

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, t...

medium 5.4 CVSS 3.1

Published: May 21, 2026

Modified: May 21, 2026

Description

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix) directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

References

https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
https://github.com/openises/tickets/releases/tag/v3.44.2
https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ticketsmdb-import-php-multiple-parameters

Version	3.1
Score	5.4 / 10
Severity	medium