CVE-2026-35013
Received Received - Intake
Reflected XSS in Open ISES Tickets via street_view.php parameters

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: VulnCheck

Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim's browser when the URL is visited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-21
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-35013
EUVD
EUVD-2026-31185
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-35013 is a reflected cross-site scripting (XSS) vulnerability found in Open ISES Tickets versions before 3.44.2, specifically in the street_view.php file.

The vulnerability occurs because the GET parameters 'thelat' and 'thelng' are passed without proper sanitization and are directly assigned to JavaScript variables. This allows authenticated attackers to inject arbitrary JavaScript code.

Attackers can create malicious URLs containing JavaScript payloads in these parameters, which execute in the victim's browser when the URL is visited.


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of a victim's browser session.

  • It can lead to theft of sensitive information such as session cookies or credentials.
  • It may enable attackers to perform actions on behalf of the victim within the application.
  • It can be used to deliver malicious payloads or redirect users to malicious sites.

Overall, it poses a medium severity risk to user security and application integrity.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for HTTP requests to the street_view.php file that include the GET parameters thelat and thelng with suspicious or unexpected JavaScript code.

You can use commands to search web server logs for such requests. For example, using grep on Apache or Nginx logs:

  • grep -i 'street_view.php' /var/log/apache2/access.log | grep -E 'thelat=|thelng='
  • grep -i 'street_view.php' /var/log/nginx/access.log | grep -E 'thelat=|thelng='

Additionally, you can look for suspicious JavaScript payloads in these parameters by searching for common XSS attack patterns such as <script>, javascript:, or encoded payloads.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Open ISES Tickets to version 3.44.2 or later, where the reflected XSS vulnerability in street_view.php has been patched.

Until the upgrade can be applied, restrict access to the affected street_view.php page to trusted authenticated users only, and consider implementing web application firewall (WAF) rules to block requests containing suspicious payloads in thelat and thelng parameters.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart