93302 matches found
CVE-2026-48218
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frmname and frmid POST parameters directly into rendered HTML content a...
CVE-2026-48215
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frmid POST parameter directly into an HTML form input value attribute. Attackers can...
CVE-2026-48216
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in dbloader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters ticketshost, ticketsdb, ticketsuser, ticketspassword,...
CVE-2026-48248
CVE-2026-48248 affects Open ISES Tickets prior to version 3.44.2, where incs/login.inc.php disables TLS certificate verification by setting CURLOPT_SSL_VERIFYPEER to false and not configuring CURLOPT_SSL_VERIFYHOST during outbound HTTPS requests in the login/auth flow. This allows an on-path atta...
CVE-2026-48245
Open ISES Tickets before 3.44.2 contain a hardcoded Google Maps API key in tables.php that was committed to a public repository. The key can be read by anyone with repository access and used to incur Google Maps Platform charges on the owner’s Google Cloud project. Public remediation is available...
CVE-2026-48243
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third‑party API calls billed to or rate‑limited against the origin...
CVE-2026-48243 Open ISES Tickets < 3.44.2 Hardcoded WhitePages API Key in wp1.php
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...
CVE-2026-48243 Open ISES Tickets < 3.44.2 Hardcoded WhitePages API Key in wp1.php
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...
CVE-2026-48242 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in importmdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values...
CVE-2026-48241
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...
CVE-2026-48241 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php a public-facing database utility that are committed to the source repository. Any actor with access to the public source tree or an unauthenticated attacker with read access to the file on a deployed...
CVE-2026-48239
Open ISES Tickets contains a SQL injection vulnerability in ajax/reports.php: the tick_id POST parameter is directly concatenated into the WHERE clause of the incidents summary report queries without sanitization. This allows authenticated attackers to influence query semantics and potentially re...
CVE-2026-48237 Open ISES Tickets < 3.44.2 SQL Injection via message.php frm_ticket_id and frm_resp_id Parameters
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frmticketid and frmrespid POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to...
CVE-2026-48237
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frmticketid and frmrespid POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to...
EUVD-2026-31317
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frmticketid and frmrespid POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to...
CVE-2026-48231 Open ISES Tickets < 3.44.2 SQL Injection via tables.php Multiple Parameters
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters tablename, indexname, sortby are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated...
CVE-2026-48231 Open ISES Tickets < 3.44.2 SQL Injection via tables.php Multiple Parameters
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters tablename, indexname, sortby are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated...
CVE-2026-48229
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routesi.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticketid GET parameter directly into HTML form hidden input value attributes...
CVE-2026-48228 Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patientw.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticketid GET parameters directly into an HTML form action URL. Attackers ca...
EUVD-2026-31308
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in oswatch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and modeorig POST parameters directly into HTML form hidden input value...