CVE-2026-48239
| Summary |
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.
|
| Publication Date |
May 22, 2026, 3:16 a.m. |
| Registration Date |
May 22, 2026, 4:08 a.m. |
| Last Update |
May 22, 2026, 3:16 a.m. |
|
CVSS3.1 : HIGH
|
| スコア |
7.1
|
| Vector |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N |
| 攻撃元区分(AV) |
ネットワーク |
| 攻撃条件の複雑さ(AC) |
低 |
| 攻撃に必要な特権レベル(PR) |
低 |
| 利用者の関与(UI) |
不要 |
| 影響の想定範囲(S) |
変更なし |
| 機密性への影響(C) |
高 |
| 完全性への影響(I) |
低 |
| 可用性への影響(A) |
なし |
Related information, measures and tools
Common Vulnerabilities List