CVE-2026-48222
Deferred Deferred - Pending Action
Reflected XSS in Open ISES Tickets via frm_add_str Parameter

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: VulnCheck

Description
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-22
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-48222
EUVD
EUVD-2026-31301
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-48222 is a reflected cross-site scripting (XSS) vulnerability found in Open ISES Tickets versions before 3.44.2, specifically in the ics213.php file.

The vulnerability occurs because the frm_add_str POST parameter is not properly sanitized, allowing authenticated attackers to inject arbitrary JavaScript code.

When a victim's browser renders the response containing the injected code, the malicious JavaScript executes, potentially leading to security risks.


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of a victim's browser session.

  • It may lead to theft of sensitive information such as session cookies or credentials.
  • Attackers could perform actions on behalf of the victim within the application.
  • It can facilitate further attacks like phishing or spreading malware.

Overall, it poses a medium severity risk that can compromise user security and trust.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring HTTP POST requests to the ics213.php file, specifically looking for the frm_add_str parameter containing suspicious or malicious JavaScript payloads. Since the vulnerability requires authentication, detection should focus on authenticated sessions.

A practical approach is to capture and analyze web traffic to identify POST requests to ics213.php with the frm_add_str parameter. For example, using command-line tools like curl or wget to send crafted requests or using network monitoring tools to inspect traffic.

  • Use curl to test for injection: curl -X POST -d "frm_add_str=<script>alert(1)</script>" https://target/ics213.php -b cookies.txt
  • Use a web proxy or interception tool (e.g., Burp Suite) to capture and modify POST requests to ics213.php and observe if injected scripts execute in the response.
  • Check server logs for unusual POST requests to ics213.php containing script tags or suspicious input in frm_add_str.

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to update Open ISES Tickets to version 3.44.2 or later, where this vulnerability has been fixed.

Until the update can be applied, restrict access to the affected ics213.php endpoint to trusted users only and monitor for suspicious activity.

Implement web application firewall (WAF) rules to detect and block attempts to inject JavaScript via the frm_add_str POST parameter.

Educate authenticated users about the risk of reflected XSS and encourage cautious behavior when interacting with the application.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart