Ejosterberg

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm add str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick id and f tick id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

**Name of the Vulnerable Software and Affected Versions** Open ISES Tickets versions prior to 3.44.2 **Description** The software disables TLS certificate verification when issuing outbound HTTPS requests during the mobile (RouteMate) login flow. This occurs in the file 'rm/incs/mobile login.inc.php' by setting the `CURLOPT SSL VERIFYPEER` variable to false and failing to set `CURLOPT SSL VERIFYHOST`. A network attacker positioned between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify requests and responses, including session-bearing data or API keys. **Recommendations** Update to version 3.44.2.