← voltar
CVE-2026-48239

Open ISES Tickets < 3.44.2 SQL Injection via ajax/reports.php tick_id Parameter

CVSS 7.1 HIGHEPSS 0.2%CWE-89
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Produtos afetados
Open ISES · Tickets

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbffhttps://github.com/openises/tickets/releases/tag/v3.44.2https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-ajax-reports-php-tick-id-parameter