Tickets
Monthly
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.
Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.
Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.
Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.
Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.
Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.
Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.
Unauthenticated RCE in SPIP tickets plugin before 4.3.3 via code injection. Allows executing arbitrary PHP code without authentication. Patch available.
The mintToken function of a smart contract implementation for tickets (TKT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to inject arbitrary JavaScript into victim browsers via the unsanitized `frm_query` POST parameter in `search.php`, which is echoed verbatim into an HTML input `VALUE` attribute. The CVSS 4.0 score of 5.1 (Medium) reflects a required active user interaction step (UI:A) that limits opportunistic exploitation - a victim must be induced to submit a crafted request. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, a vendor-released patch (v3.44.2) is available and should be applied immediately, as it simultaneously addresses 88 security vulnerabilities - including 68 additional XSS flaws across 22 files - indicating systemic insecurity in all prior versions.
Reflected XSS in Open ISES Tickets before 3.44.2 enables injection of arbitrary JavaScript via the unsanitized `the_ticket` GET parameter in do_unit_mail.php, which is written directly into a JavaScript variable assignment without output encoding. An attacker who can deliver a crafted URL to a user of the application can execute arbitrary JavaScript in that user's browser session, enabling session hijacking, credential theft, or UI redirection. No active exploitation is confirmed (not in CISA KEV), and no public POC is identified at time of analysis, though a patch commit and vendor release are publicly available, raising the exposure window.
Reflected cross-site scripting in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the ticket_id GET parameter in routes_nm.php, which is unsanitized and written directly into an HTML hidden input field VALUE attribute. The CVSS 4.0 vector (PR:N) indicates no privileges are required, but the CVE description explicitly characterizes the attacker as authenticated - this discrepancy must be verified with the vendor before determining actual exploitation prerequisites. Active user interaction is required (UI:A), meaning exploitation depends on a victim clicking a crafted URL. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Reflected XSS in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript into a victim's browser session via the thelat and thelng GET parameters in street_view.php, where values are passed unsanitized directly into JavaScript variable assignments. The attack requires user interaction - a victim must visit a crafted URL - and the CVSS 4.0 score of 5.1 reflects limited scope impact (SC:L/SI:L). Notably, this CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and 5 hardcoded secrets, indicating severe systemic security debt in the codebase. No public exploit identified at time of analysis, and no CISA KEV listing.
Reflected XSS in Open ISES Tickets before version 3.44.2 enables JavaScript injection via the ticket_id GET parameter in add_facnote.php, which is written unsanitized into a hidden HTML input field's VALUE attribute. An attacker can craft a URL containing a JavaScript payload and trick a user into visiting it, causing script execution in the victim's browser session within the application's origin. No public exploit has been identified at time of analysis, and a vendor-released patch is confirmed at v3.44.2. Notably, this CVE is one of at least 69 XSS vulnerabilities addressed in the same release, indicating systemic input sanitization failures across the codebase.
Reflected cross-site scripting in Open ISES Tickets before v3.44.2 allows attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a payload in the `frm_call` GET parameter of `opena.php`, which is reflected directly into page output without sanitization. The CVSS 4.0 vector scores this at 5.1 (Medium), with impact limited to the subsequent browser context (SC:L/SI:L) rather than the server itself. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV - however, the v3.44.2 release patched 88 total vulnerabilities including 19 SQL injection flaws, indicating systemic security debt warranting urgent upgrade regardless of this CVE's moderate score.
Reflected XSS in Open ISES Tickets before 3.44.2 enables JavaScript injection via the ticket_id GET parameter in patient_JF.php, where the unsanitized value is written directly into a JavaScript variable assignment in the server response. The CVSS 4.0 vector (PR:N, UI:A) indicates no authentication is required from the attacker's side, though the CVE description contradicts this by specifying 'authenticated attackers' - this conflict should be verified with the vendor. Exploitation requires the victim to actively visit a crafted URL, limiting mass exploitation, but the broader v3.44.2 release context - which patches 88 total vulnerabilities including 19 SQL injection flaws - signals systemic input validation failures across the codebase. No public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected XSS in Open ISES Tickets before 3.44.2 allows injection of arbitrary JavaScript via the unsanitized ticket_id GET parameter in add_note.php, with payload execution occurring in the browser of any authenticated user who visits a crafted URL. The CVSS 4.0 score of 5.1 (Medium) reflects the mandatory user interaction requirement and impact scope limited to the browser context, with no server-side confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis; the vendor released v3.44.2 as a critical security update that addresses this issue alongside 87 additional vulnerabilities.
Reflected cross-site scripting in Open ISES Tickets before version 3.44.2 allows an attacker to inject arbitrary JavaScript via the ticket_id GET parameter in single.php, which is rendered unsanitized into an HTML attribute and executed in a victim's browser upon visiting a crafted URL. This vulnerability is one of 69 XSS issues patched in the v3.44.2 release, which also addressed 19 SQL injection flaws and hardcoded credentials - signaling systemic input handling deficiencies across the application. No public exploit code or CISA KEV listing has been identified at time of analysis, but the CVSS 4.0 score of 5.1 and mandatory user interaction (UI:A) limit automated exploitation.
Reflected XSS in Open ISES Tickets before version 3.44.2 allows attackers to inject arbitrary JavaScript into a victim's browser session via the unsanitized 'id' GET parameter in single_unit.php. The injected value is written directly into an HTML attribute without escaping, enabling session hijacking, credential theft, or malicious redirects when a victim visits an attacker-crafted URL. This CVE is one of 69 XSS vulnerabilities patched in the v3.44.2 security release - indicating systemic input validation failures across the application. No public exploit or CISA KEV listing has been identified at time of analysis.
Unauthenticated RCE in SPIP tickets plugin before 4.3.3 via code injection. Allows executing arbitrary PHP code without authentication. Patch available.
The mintToken function of a smart contract implementation for tickets (TKT), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.