CVE-2026-48228
Reflected XSS in Open ISES Tickets Patient Portal
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-48228 is a reflected Cross-Site Scripting (XSS) vulnerability found in Open ISES Tickets versions before 3.44.2, specifically in the patient_w.php file.
The vulnerability occurs because the application does not properly sanitize the id and ticket_id GET parameters before embedding them directly into an HTML form action URL.
An authenticated attacker can exploit this by crafting a malicious request containing JavaScript code in these parameters, which then executes in the victim's browser when the response is rendered.
How can this vulnerability impact me? :
This vulnerability allows attackers to execute arbitrary JavaScript code in the context of a victim's browser session.
- It can lead to session hijacking, allowing attackers to steal sensitive information such as authentication tokens.
- Attackers might perform actions on behalf of the victim or manipulate the web application's behavior.
- It poses a medium severity security risk with a CVSS score of 5.1, indicating a moderate impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the patient_w.php page for reflected Cross-Site Scripting (XSS) in the id and ticket_id GET parameters. An authenticated user can attempt to inject JavaScript payloads into these parameters and observe if the payload executes when the response is rendered.
For example, you can use curl or a web proxy tool to send requests with JavaScript code in the id or ticket_id parameters and check if the response contains the unsanitized script.
- curl -i -b cookies.txt "http://target/patient_w.php?id=<script>alert(1)</script>&ticket_id=123"
- Use a browser with developer tools or a proxy like Burp Suite to intercept and modify requests to patient_w.php, injecting JavaScript in the id and ticket_id parameters to see if it executes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Open ISES Tickets to version 3.44.2 or later, where this reflected XSS vulnerability in patient_w.php has been fixed.
Until an upgrade is possible, restrict access to the affected page to trusted authenticated users only, and consider implementing web application firewall (WAF) rules to detect and block malicious input patterns targeting the id and ticket_id parameters.
Additionally, review and apply input validation and output encoding on the server side to neutralize any injected scripts in these parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to inject arbitrary JavaScript code that executes in the victim's browser, which can lead to unauthorized actions or data exposure within the affected application.
Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.
Specifically, reflected cross-site scripting vulnerabilities may enable attackers to compromise user sessions or steal sensitive information, potentially resulting in violations of data protection regulations.