Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim's browser when the URL is visited.
AnalysisAI
Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.
Technical ContextAI
Open ISES Tickets is a PHP-based IT ticketing system (CPE: cpe:2.3:a:openises:tickets:*:*:*:*:*:*:*:*). The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS pattern in street_view.php where user-supplied GET parameters thelat and thelng are concatenated directly into server-side JavaScript variable assignments without sanitization or encoding. Because the values land inside a JavaScript context rather than HTML, standard HTML entity encoding may be insufficient - proper context-aware output encoding for JavaScript string literals is required. The broader v3.44.2 release notes reveal that 69 XSS vulnerabilities were fixed across 22 PHP files in a single batch, and the codebase also contained legacy password hashing (MD5, SHA1, plain text), hardcoded secrets, and SQL injection - suggesting the application has historically not applied consistent output encoding or input validation practices.
RemediationAI
Upgrade immediately to Open ISES Tickets v3.44.2, available at https://github.com/openises/tickets/releases/tag/v3.44.2. The release patches this CVE and 87 additional vulnerabilities including 19 SQL injection flaws, 5 hardcoded secrets, and 4 SSL validation failures - making the upgrade critically urgent regardless of this specific CVE's medium severity score. For Docker deployments, run 'docker compose pull && docker compose up -d'. For traditional installs, download the release zip, extract over the existing installation, and run the installer in Upgrade mode. If immediate upgrade is not possible, consider restricting access to street_view.php via web server configuration (e.g., IP allowlisting or authentication gateway in nginx/Apache) as a compensating control - note this disables the street view feature for all users. Do not treat this CVE in isolation: the SQL injection vulnerabilities in the same codebase present a higher-severity risk that makes deferring the upgrade dangerous.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31185
GHSA-rv9j-hj4r-57hm