← volver
CVE-2026-48239

Open ISES Tickets < 3.44.2 SQL Injection via ajax/reports.php tick_id Parameter

CVSS 7.1 HIGHEPSS 0.2%CWE-89
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Productos afectados
Open ISES · Tickets

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbffhttps://github.com/openises/tickets/releases/tag/v3.44.2https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-ajax-reports-php-tick-id-parameter