Open ISES Tickets Reflected Cross-Site Scripting Vulnerability in ticketsmdb_import.php

A reflected cross-site scripting vulnerability has been identified in Open ISES Tickets versions prior to 3.44.2. The issue resides in the ticketsmdb_import.php file, where authenticated attackers can inject arbitrary JavaScript. This is achieved by sending an unsanitized value through multiple POST parameters, which are then embedded into the HTML response via hidden input fields. The injected script executes in the context of the user's browser when the response is viewed.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the victim's browser session.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the ticketsmdb_import.php page. The request must include one or more of the following POST parameters: mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, or ticketsprefix. These parameters should be filled with unsanitized values that include JavaScript payloads. Once the request is sent, the injected JavaScript will execute in the browser when the response is rendered.

Remediation

Users are advised to upgrade to Open ISES Tickets version 3.44.2 or later, where this vulnerability has been patched.