CVE-2026-48243
Hardcoded WhitePages API Key Exposure in Open ISES Tickets
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openises | tickets | to 3.44.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves a hardcoded WhitePages reverse-phone API key embedded in the source code, which can be extracted and misused by unauthorized actors. This exposure of credentials could potentially lead to unauthorized access to third-party services and misuse of the original owner's account.
However, there is no specific information provided about how this vulnerability directly impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
Open ISES Tickets versions before 3.44.2 contain a hardcoded WhitePages reverse-phone API key embedded in the wp1.php file.
This key is committed to the public source repository, meaning anyone with read access to the source code can extract it.
An attacker can then use this key to make unauthorized third-party API calls to WhitePages, which are billed to or rate-limited against the original owner's account.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized use of the WhitePages API key, allowing attackers to make API calls that are charged to or limited against the original owner's account.
Such unauthorized usage could result in unexpected costs or service disruptions due to hitting rate limits.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the source code of Open ISES Tickets installations for the presence of a hardcoded WhitePages reverse-phone API key in the wp1.php file.
You can search for the API key by running commands that look for the specific file and keywords within it.
- Use a command like: grep -r 'WhitePages' /path/to/open-ises-tickets/wp1.php
- Alternatively, search for the API key pattern or keywords related to the WhitePages API key in the source directory: grep -r 'api_key' /path/to/open-ises-tickets/
If the source code is publicly accessible or stored in a repository, review the wp1.php file for any hardcoded credentials.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Open ISES Tickets to version 3.44.2 or later, where this vulnerability has been addressed.
Additionally, remove any hardcoded WhitePages API keys from the wp1.php file or any other source files.
If the API key has been exposed, consider rotating or revoking the compromised WhitePages API key to prevent unauthorized use.