VYPR
← All advisories
Medium severity5.4NVD Advisory· Published May 21, 2026· Updated May 21, 2026

CVE-2026-48228

CVE-2026-48228

Description

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Open ISES Tickets < 3.44.2 allows authenticated attackers to inject arbitrary JavaScript via unsanitized id/ticket_id GET parameters in patient_w.php.

Vulnerability

CVE-2026-48228 is a reflected cross-site scripting (XSS) vulnerability found in Open ISES Tickets versions before 3.44.2. The flaw resides in the patient_w.php file, where the id and ticket_id GET parameters are passed unsanitized into an HTML form action URL [1][3]. This lack of proper output encoding allows attackers to inject arbitrary JavaScript code that executes when the victim's browser renders the response.

Exploitation

An authenticated attacker can craft a malicious link containing a JavaScript payload in the id or ticket_id parameter. By tricking a victim user (who must also be authenticated) into clicking the crafted link, the injected script executes in the context of the victim's session. The attack requires no special privileges beyond those of a standard authenticated user and can be performed via any network-accessible path [3].

Impact

Successful exploitation enables the attacker to perform actions on behalf of the victim within the application, potentially leading to data theft, session hijacking, or further compromise of the Open ISES Tickets instance. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3 base score of 5.4 (Medium) and a CVSS v4 score of 5.1 [2][3].

Mitigation

The vulnerability is fixed in version 3.44.2, which addressed a total of 69 XSS vulnerabilities across 22 files, along with 19 SQL injection issues and other security improvements [2]. All users are strongly advised to upgrade immediately. There is no known workaround; updating to the patched release is the recommended action [2][3].

References
  1. Security: Fix 69 reflected XSS vulnerabilities across 22 files · openises/tickets@ecfeb40
  2. Release v3.44.2 — Critical Security Update · openises/tickets
  3. Open ISES Tickets < 3.44.2 Reflected XSS via patient_w.php id and ticket_id Parameters

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Openises/Ticketsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <3.44.2

Patches

1
ecfeb406a016

Security: Fix 69 reflected XSS vulnerabilities across 22 files

https://github.com/openises/ticketsEric OsterbergApr 2, 2026via nvd-ref
commit
29 files changed · +89 89
  • add_facnote.php+1 1 modified
    @@ -137,7 +137,7 @@ function validate () {
 						<TD class='td_data'><TEXTAREA NAME='frm_notes' tabindex=4 COLS=60 ROWS = 3><?php print $notes;?></TEXTAREA></TD>

 					</TR>

 				</TABLE>

-				<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />

+				<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />

 				<INPUT TYPE = 'hidden' NAME = 'frm_existing' VALUE='<?php print $existing;?>' />

 				</FORM>

 			</DIV>
  • add_nm.php+2 2 modified
    @@ -344,7 +344,7 @@ function do_notify() {
 
 		var theAddresses = '<?php print implode("|", array_unique($addrs));?>';		// drop dupes
 		var theText= "TICKET - New: ";
-		var theId = '<?php print $_POST['ticket_id'];?>';
+		var theId = '<?php print intval($_POST['ticket_id']);?>';
 		
 //		mail_it ($to_str, $text, $theId, $text_sel=1;, $txt_only = FALSE)
 
@@ -423,7 +423,7 @@ function do_notify() {	// dummy
 	</FORM>
 
 	<FORM NAME='to_routes' METHOD='get' ACTION='routes.php'>
-	<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
+	<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
 	<INPUT TYPE='submit' VALUE='Routes' /></CENTER>
 	</FORM>
 <?php
  • add_note.php+1 1 modified
    @@ -103,7 +103,7 @@ function set_signal(inval) {
 				<B>Apply to</B>&nbsp;:&nbsp;&nbsp;

 				Description &raquo; <INPUT TYPE = 'radio' NAME='frm_add_to' value='0' CHECKED />&nbsp;&nbsp;&nbsp;&nbsp;

 				<?php print $disposition;?> &raquo; <INPUT TYPE = 'radio' NAME='frm_add_to' value='1' />

-				<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />

+				<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />

 				</FORM>				

 			</DIV>

 		</DIV>
  • add.php+1 1 modified
    @@ -653,7 +653,7 @@ function updt_ticket($id) {							/* 1/25/09 */
 			<SPAN id='sub_but' class='plain text' style='float: none;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.to_main.submit();'>Main</SPAN><BR />
 			<BR />
 			<FORM NAME='to_routes' METHOD='get' ACTION='<?php print $_SESSION['routesfile'];?>'>
-			<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
+			<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
 			</FORM>
 			<SPAN id='sub_but' class='plain text' style='float: none;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.to_routes.submit();'>Routes</SPAN>
 			</CENTER>
  • circle.php+1 1 modified
    @@ -1342,7 +1342,7 @@ function toggle(the_value) {
 <BODY onload = 'document.dummy.submit();'>
 <FORM NAME='dummy' METHOD = 'post' ACTION = '<?php echo basename(__FILE__);?>'>
 <INPUT TYPE = 'hidden' NAME = '_func' VALUE = 'r' />
-<INPUT TYPE = 'hidden' NAME = 'id' VALUE = '<?php echo $_POST['frm_id'];?>' />
+<INPUT TYPE = 'hidden' NAME = 'id' VALUE = '<?php echo intval($_POST['frm_id']);?>' />
 </FORM></BODY></HTML>
 
 <?php
  • db_loader.php+6 6 modified
    @@ -633,12 +633,12 @@ function confirm_delete() {
 			</DIV>
 		</DIV>
 
-		<INPUT name='ticketshost' type='hidden' VALUE='<?php print $_POST['ticketshost'];?>' />
-		<INPUT name='ticketsdb' type='hidden' VALUE='<?php print $_POST['ticketsdb'];?>' />
-		<INPUT name='ticketsuser' type='hidden' VALUE='<?php print $_POST['ticketsuser'];?>' />
-		<INPUT name='ticketspassword' type='hidden' VALUE='<?php print $_POST['ticketspassword'];?>' />
-		<INPUT name='ticketsprefix' type='hidden' VALUE='<?php print $_POST['ticketsprefix'];?>' />			
-		<INPUT name='db_schema' type='hidden' VALUE='<?php print $_POST['db_schema'];?>' />
+		<INPUT name='ticketshost' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>' />
+		<INPUT name='ticketsdb' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>' />
+		<INPUT name='ticketsuser' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>' />
+		<INPUT name='ticketspassword' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>' />
+		<INPUT name='ticketsprefix' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>' />
+		<INPUT name='db_schema' type='hidden' VALUE='<?php print htmlspecialchars($_POST['db_schema'], ENT_QUOTES, 'UTF-8');?>' />
 		<INPUT name='page_background' type='hidden' VALUE='<?php print $page_background;?>' />
 		<INPUT name='normal_text' type='hidden' VALUE='<?php print $normal_text;?>' />
 		<INPUT name='form_input_background' type='hidden' VALUE='<?php print $form_input_background;?>' />
  • delete_module.php+7 7 modified
    @@ -63,15 +63,15 @@ function mod_table_exists($tablename) {			//check if mysql table exists, if it's
 	<TR><TH class='heading'>Module Deletion - Confirmation</TH></TR>

 	<TR><TD>&nbsp;</TD></TR>

 	<TR><TD>&nbsp;</TD></TR>

-	<FORM NAME="delete_2" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

-	<TR><TD style='font-size: 14px; font-weight: bold; background-color: #AEAEAE; text-align: center;'>Selected Module: <?php print $_POST['module_choice'];?></TD></TR>

+	<FORM NAME="delete_2" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post">

+	<TR><TD style='font-size: 14px; font-weight: bold; background-color: #AEAEAE; text-align: center;'>Selected Module: <?php print htmlspecialchars($_POST['module_choice'], ENT_QUOTES, 'UTF-8');?></TD></TR>

 	<TR><TD>&nbsp;</TD></TR>

 	<TR><TD>&nbsp;</TD></TR>

 	<TR><TD>&nbsp;</TD></TR>	

 	<TR><TD CLASS="td_label">Click Submit to confirm module deletion or Cancel to abort</TD></TR>	

 	<TR><TD>&nbsp;</TD></TR>

 	<TR><TD>&nbsp;</TD></TR>	

-	<INPUT TYPE='hidden' NAME='confirmation' VALUE='<?php print $_POST['module_choice'];?>'>

+	<INPUT TYPE='hidden' NAME='confirmation' VALUE='<?php print htmlspecialchars($_POST['module_choice'], ENT_QUOTES, 'UTF-8');?>'>

 	<INPUT TYPE='hidden' NAME='flag' VALUE='Confirmation Received'>	

 	<TR><TD ALIGN="center"><INPUT TYPE="button" VALUE="Cancel" onClick="window.location.href='config.php'" >&nbsp;&nbsp;<input type="submit" name="submit" value="Submit" /></TD></TR>

 	</FORM></TABLE>	

@@ -102,8 +102,8 @@ function rmdir_recurse($path) {
 		

 ?>

 	<DIV style='background-color:#CECECE; position: absolute; width: 60%; height: 60%; left: 20%; top: 10%; border:2px inset #FFF2BF; display: block; text-align: center'>

-	<BR /><BR /><BR /><BR /><?php	print $_POST['flag'];?><BR /><BR />

-	Deleting Tickets Module........<?php print $_POST['confirmation'];?><BR /><BR />

+	<BR /><BR /><BR /><BR /><?php	print htmlspecialchars($_POST['flag'], ENT_QUOTES, 'UTF-8');?><BR /><BR />

+	Deleting Tickets Module........<?php print htmlspecialchars($_POST['confirmation'], ENT_QUOTES, 'UTF-8');?><BR /><BR />

 	Dropping Table........<?php print $table;?>...........	

 <?php	

 	$query	= "DROP table `{$GLOBALS['mysql_prefix']}" . $table ."`";

@@ -115,7 +115,7 @@ function rmdir_recurse($path) {
 		}

 ?>	

 

-	Removing Directory and files /modules/<?php print $_POST['confirmation'];?>..........

+	Removing Directory and files /modules/<?php print htmlspecialchars($_POST['confirmation'], ENT_QUOTES, 'UTF-8');?>..........

 <?php

 	$directory = $tickets_dir . "/modules/" . $module_name;

 	$rem_dir = rmdir_recurse($directory);

@@ -162,7 +162,7 @@ function rmdir_recurse($path) {
 	<DIV style='background-color:#CECECE; position: absolute; width: 40%; height: 20%; left: 5%; top: 10%; border:2px inset #FFF2BF; display: block'>

 	<TABLE BORDER="0">

 	<TH COLSPAN="2">Delete a Tickets Module<BR /></TH>

-	<FORM NAME="delete_1" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

+	<FORM NAME="delete_1" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post">

 	<TR CLASS="even"><TD CLASS="td_label">Module: </TD><TD><?php print $choice;?></TD>

 	<TR CLASS="even"><TD COLSPAN="2" ALIGN="center"><input type="submit" name="submit" value="Submit" /></TD></TR>

 	</FORM></TABLE>
  • do_unit_mail.php+1 1 modified
    @@ -66,7 +66,7 @@ function subval_sort($a,$subkey) {
 	} elseif((!(empty($_GET))) && (array_key_exists('the_ticket', $_GET)) && $_GET['the_ticket'] == "doselect")  {	//	10/23/12
 	$step = 1;
 	} elseif((!(empty($_GET))) && (array_key_exists('the_ticket', $_GET)) && $_GET['the_ticket'] != "undefined" && $_GET['the_ticket'] != "doselect")  {	//	10/23/12
-	$tik_id = $_GET['the_ticket'];
+	$tik_id = intval($_GET['the_ticket']);
 	$step = (((integer) $_GET['the_ticket'])==0)? 0 : 2 ;
 	} else {
 //	dump(__LINE__);
  • icons/buttons/landb.php+3 3 modified
    @@ -632,7 +632,7 @@ function waiter() {
 </SCRIPT>

 </HEAD>

 <BODY onLoad = "waiter();">

-<DIV align="center" ID = 'c_id'><BR /><BR /><BR/><H3>'<?php echo $_POST['frm_name'];?>' added</H3></DIV>

+<DIV align="center" ID = 'c_id'><BR /><BR /><BR/><H3>'<?php echo htmlspecialchars($_POST['frm_name'], ENT_QUOTES, 'UTF-8');?>' added</H3></DIV>

 </BODY></HTML>

 <?php

 	break;			// end case "c"

@@ -979,14 +979,14 @@ function toggle(the_value) {
 <SCRIPT>

 function waiter() {

 	document.navform._func.value="r";

-	document.navform.id.value=<?php echo $_POST['frm_id'];?>

+	document.navform.id.value=<?php echo intval($_POST['frm_id']);?>

 //	fade("up_id;")	

 	setTimeout("document.navform.submit()",2000);

 	}

 </SCRIPT>

 </HEAD>

 <BODY onLoad = "waiter();">

-<DIV align="center" ID = 'up_id'><BR /><BR /><BR/><H3>'<?php echo $_POST['frm_name'];?>' update complete</H3></DIV>

+<DIV align="center" ID = 'up_id'><BR /><BR /><BR/><H3>'<?php echo htmlspecialchars($_POST['frm_name'], ENT_QUOTES, 'UTF-8');?>' update complete</H3></DIV>

 </BODY>

 </HTML>

 <?php
  • ics202.php+1 1 modified
    @@ -219,7 +219,7 @@ function in_check( $name, $tabindex, $value, $ischecked) {		//  <input type=text
 	echo template_ics ($item);		// fills form with default $item entries

 ?>

 <input type = 'hidden' name = 'step' value = 2 />

-<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/>

+<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/>

 </form>

 <script>

 	function validate(our_form) {		// ics form name check
  • ics205a.php+1 1 modified
    @@ -178,7 +178,7 @@ function in_text( $name, $size, $tabindex, $data = "") {		//  <input type=text .
 	echo template_205a ($item);		// fills form with default $item entries

 ?>

 <input type = 'hidden' name = 'step' value = 2 />

-<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/>

+<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/>

 </form>

 <script>

 	function validate(our_form) {		// ics form name check
  • ics205.php+1 1 modified
    @@ -257,7 +257,7 @@ function in_text( $name, $size, $tabindex, $data = "") {		//  <input type=text .
 ?>

 		<p style = 'margin-top:20px;'>

 			<input type = 'hidden' name = 'step' value = 2 />

-			<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/>

+			<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/>

 			</form>

 		</p>
  • ics213.php+1 1 modified
    @@ -35,7 +35,7 @@ function template_213_t () {	// table-only portion of page
 	global $item;

 	$out_str = "<TABLE DIR='LTR' BORDER=1 BORDERCOLOR='#000000' CELLPADDING=0 CELLSPACING=0 STYLE='width: 20.32cm; border:2px solid black; background-color: white;'>";

 	$out_str .= "\n<FORM NAME = 'ics213_form' METHOD = 'post' ACTION = '" . basename(__FILE__) . "' >\n";

-	$out_str .= "\n<INPUT TYPE = 'hidden' NAME = 'frm_add_str' VALUE = '{$_POST['frm_add_str']}'/>\n";

+	$out_str .= "\n<INPUT TYPE = 'hidden' NAME = 'frm_add_str' VALUE = '" . htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8') . "'/>\n";

 	$out_str .= "<INPUT TYPE = 'hidden' NAME = 'step' VALUE = 2>

 		<COL WIDTH=46*>

 		<COL WIDTH=54*>
  • ics213rr.php+1 1 modified
    @@ -378,7 +378,7 @@ function in_text( $name, $size, $data, $dis) {		//  <input type=text ...
 	<SPAN ID='sub_but' class='plain text' style='float: none; width: 120px;; display: inline-block;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick="validate(this.form);"><SPAN STYLE='float: left;'><?php print get_text("Next");?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0></SPAN><BR />

 </div>

 <input type = 'hidden' name = 'step' value = 2 />

-<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST["frm_add_str"];?>'/>

+<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST["frm_add_str"], ENT_QUOTES, 'UTF-8');?>'/>

 </form>

 <script>

 	function validate(our_form) {		// ics form name check
  • ics214.php+1 1 modified
    @@ -214,7 +214,7 @@ function in_text( $name, $size, $tabindex, $data = "") {		//  <input type=text .
 	echo template_ics ($item);		// fills form with default $item entries

 ?>

 <input type = 'hidden' name = 'step' value = 2 />

-<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/>

+<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/>

 </form>

 <script>

 	function validate(our_form) {		// ics form name check
  • incs/mail_form.php+1 1 modified
    @@ -533,7 +533,7 @@ function subval_sort($a,$subkey) {
 			LEFT JOIN `$GLOBALS[mysql_prefix]responder`	 `r` ON (`a`.`responder_id` = `r`.`id`)

 			LEFT JOIN `$GLOBALS[mysql_prefix]un_status`	 `s` ON (`r`.`un_status_id` = `s`.`id`)

 			LEFT JOIN `$GLOBALS[mysql_prefix]ticket` `t` ON (`a`.`ticket_id` = `t`.`id`)

-			WHERE `ticket_id` = {$_GET['ticket_id']} AND (LOCATE('@', `contact_via`) > 1 || (`smsg_id` IS NOT NULL AND `smsg_id` <> ''))

+			WHERE `ticket_id` = " . intval($_GET['ticket_id']) . " AND (LOCATE('@', `contact_via`) > 1 || (`smsg_id` IS NOT NULL AND `smsg_id` <> ''))

 			AND ((`clear` IS NULL) OR (DATE_FORMAT(`clear`,'%y') = '00'))

 			ORDER BY `name` ASC ";

 		$tik_id = $_GET['ticket_id'];
  • landb.php+1 1 modified
    @@ -771,7 +771,7 @@ function buildMap_c() {															// 'create' version - 691
 			<INPUT TYPE='hidden' NAME = '_func' VALUE='cp' />
 			<INPUT TYPE='hidden' NAME = 'frm_line_status' VALUE='0' />	
 			<INPUT TYPE='hidden' NAME = 'frm_line_cat_id' VALUE='0' />	
-			<INPUT TYPE='hidden' NAME = 'frm_line_type' VALUE='<?php echo $_POST['_type'];?>' />
+			<INPUT TYPE='hidden' NAME = 'frm_line_type' VALUE='<?php echo htmlspecialchars($_POST['_type'], ENT_QUOTES, 'UTF-8');?>' />
 			<INPUT TYPE='hidden' NAME = 'frm_line_data' VALUE='' />
 			<INPUT TYPE='hidden' NAME = 'frm_filled' VALUE='0' />
 			<INPUT TYPE='hidden' NAME = 'frm_use_with_bm' VALUE='0' />
  • opena.php+2 2 modified
    @@ -9,7 +9,7 @@
 error_reporting(E_ALL);				//10/1/08

 require_once('./incs/functions.inc.php');		//7/28/10

 

-$call = (empty($_GET))? "": $_GET['frm_call'];				// 10/1/08

+$call = (empty($_GET))? "": htmlspecialchars($_GET['frm_call'], ENT_QUOTES, 'UTF-8');				// 10/1/08

 	

 ?>

 

@@ -60,7 +60,7 @@ function do_focus() {
 		print "<BR /><H3>Test with aprs.fi succeeds!</H3>";

 		$temp = ($data->found );			// match count

 		if($temp==0) {

-			print "<BR /><H3>No data for '{$_GET['frm_call']}'</H3><BR />";		

+			print "<BR /><H3>No data for '" . htmlspecialchars($_GET['frm_call'], ENT_QUOTES, 'UTF-8') . "'</H3><BR />";		

 			}

 		else {			

 			$entry = (object) $data->entries[0];
  • os_watch.php+7 7 modified
    @@ -318,7 +318,7 @@ function do_tbl_footer() {
 	</tr>
 </table>
 <input type = hidden name = "mode"	value = 11 /> <!-- do_LOG_DB  -->
-<input type = hidden name = "ref" 	value = "<?php echo $_POST['ref'];?>" />
+<input type = hidden name = "ref" 	value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" />
 </form>
 
 </body>
@@ -384,7 +384,7 @@ function set_signal(inval) {
 
 <form name='osw_form' method='post' action = '<?php echo basename(__FILE__) ;?>'>
 <input type = hidden name = "mode" 			value = "13" />									<!-- do_NOTE_DB -->
-<input type = hidden name = "ref" 			value = "<?php echo $_POST['ref'];?>" />
+<input type = hidden name = "ref" 			value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" />
 <input type = hidden name = 'frm_type' 		value='' />
 <textarea name='frm_text' cols=70 rows = 2 placeholder = "Enter note text"></textarea>
 <br />
@@ -434,9 +434,9 @@ function set_signal(inval) {
 ?>
 <BODY onload = "setTimeout(function(){ do_can(); }, 1500);">		<!-- 1/14/10 -->
 <form name = "osw_form" method = "post" 	action = "<?php echo basename(__FILE__); ?>">
-<input type = hidden name = "mode" 		value = "<?php echo $_POST['mode_orig'];?>" /> <!-- original entry  -->
-<input type = hidden name = "mode_orig" value = "<?php echo $_POST['mode_orig'];?>" />
-<input type = hidden name = "ref" 		value = "<?php echo $_POST['ref'];?>" />
+<input type = hidden name = "mode" 		value = "<?php echo htmlspecialchars($_POST['mode_orig'], ENT_QUOTES, 'UTF-8');?>" /> <!-- original entry  -->
+<input type = hidden name = "mode_orig" value = "<?php echo htmlspecialchars($_POST['mode_orig'], ENT_QUOTES, 'UTF-8');?>" />
+<input type = hidden name = "ref" 		value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" />
 </form>
 
 <center>
@@ -546,7 +546,7 @@ function validate () {
 
 <form name = 'osw_form' method = post 	action = "<?php echo basename(__FILE__); ?>">
 <input type = hidden name = "mode" 		value = 15 /> 	<!-- do_MAIL_SEND -->
-<input type = hidden name = "ref" 		value = "<?php echo $_POST['ref'];?>" />
+<input type = hidden name = "ref" 		value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" />
 <center>
 			<TABLE ALIGN='center' BORDER = 0 style = 'margin-top:20px;'>
 				<TR CLASS='odd'><TH COLSPAN=2>Mail to: <?php print $row['handle']; ?></TH></TR> <!-- 7/2/10 -->
@@ -625,7 +625,7 @@ function validate () {
 <CENTER><BR /><BR /><BR /><H3>Message sent - window closing</H3>
 <form name = 'osw_form' method = post 	action = "<?php echo basename(__FILE__); ?>">
 <input type = hidden name = "mode" 		value = "" />
-<input type = hidden name = "ref" 		value = "<?php echo $_POST['ref'];?>" />
+<input type = hidden name = "ref" 		value = "<?php echo htmlspecialchars($_POST['ref'], ENT_QUOTES, 'UTF-8');?>" />
 </form>
 
 <?php
  • patient_JF.php+4 4 modified
    @@ -209,7 +209,7 @@ function do_lock(theForm) {										// 8/10/08
 	function do_notify() {

 		var theAddresses = '<?php print implode("|", array_unique($addrs));?>';		// drop dupes

 		var theText= "TICKET - PATIENT: ";

-		var theId = '<?php print $_GET['ticket_id'];?>';

+		var theId = '<?php print intval($_GET['ticket_id']);?>';

 //			 mail_it ($to_str, $text, $ticket_id, $text_sel=1;, $txt_only = FALSE)

 		

 		var params = "frm_to="+ escape(theAddresses) + "&frm_text=" + escape(theText) + "&frm_ticket_id=" + escape(theId) + "&text_sel=1";		// ($to_str, $text, $ticket_id)   10/15/08

@@ -326,7 +326,7 @@ function do_notify() {
 //		dump(stripslashes($row['description']));

 ?>

 		<FONT CLASS="header">Edit <?php print get_text("Patient");?> Record</FONT><BR /><BR />

-		<FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&action=update"><TABLE BORDER="0">

+		<FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&action=update"><TABLE BORDER="0">

 		<TR CLASS='even' >

 		  <TD><B>Patient Number: <font color='red' size='-1'>*</font></B></TD><TD><INPUT TYPE="text" NAME="frm_name" value="<?php print $row['name'];?>" size="32"></TD></TR>

 		<TR CLASS='odd'  VALIGN='top'><TD><B>Description:</B> <font color='red' size='-1'>*</font></TD><TD><TEXTAREA ROWS="8" COLS="45" NAME="frm_description" WRAP="virtual"><?php print $row['description'];?></TEXTAREA></TD></TR>

@@ -346,7 +346,7 @@ function do_notify() {
 	else {

 ?>

 		<BR /><BR /><FONT CLASS="header">Add <?php print get_text("Patient");?> Record</FONT><BR /><BR />

-		<FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);'  ACTION="patient.php?ticket_id=<?php print $_GET['ticket_id'];?>&action=add"><TABLE BORDER="0">

+		<FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);'  ACTION="patient.php?ticket_id=<?php print intval($_GET['ticket_id']);?>&action=add"><TABLE BORDER="0">

 		<TR CLASS='even' >

 		  <TD><B>Patient Number:</B> <font color='red' size='-1'>*</font></TD><TD><INPUT TYPE="text" NAME="frm_name" value="" size="32"></TD></TR>

 		<TR CLASS='odd' ><TD><B>Description: </B><font color='red' size='-1'>*</font></TD><TD><TEXTAREA ROWS="8" COLS="45" NAME="frm_description" WRAP="virtual"></TEXTAREA></TD></TR> <!-- 10/19/08 -->

@@ -362,7 +362,7 @@ function do_notify() {
 		}

 ?>

 <FORM NAME='can_Form' ACTION="main.php">

-<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>">

+<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>">

 </FORM>

 </HTML>

 <?php
  • patient.php+3 3 modified
    @@ -466,7 +466,7 @@ function do_reset (the_form) {
 		$row = stripslashes_deep($result->fetch_assoc());
 ?>
 		<SPAN STYLE='margin-left:83px;'><FONT CLASS="header">Edit <?php print get_text('Patient');?> Record</FONT></SPAN><BR /><BR />
-		<FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&action=update"><TABLE BORDER="0">
+		<FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="patient.php?id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&action=update"><TABLE BORDER="0">
 		<TABLE BORDER="0">
 			<TR CLASS='even'>
 				<TD CLASS='td_label text'>
@@ -686,7 +686,7 @@ function do_reset (the_form) {
 				$pulldown .= "<option value=\"{$row_fc['id']}\">" . $row_fc['name'] . "</option>\n";
 				}		
 ?>
-		<FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);'  ACTION="patient.php?ticket_id=<?php print $_GET['ticket_id'];?>&action=add">
+		<FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);'  ACTION="patient.php?ticket_id=<?php print intval($_GET['ticket_id']);?>&action=add">
 		<TABLE BORDER="0">
 			<TR CLASS='header'>
 				<TD COLSPAN='99' ALIGN='center'>
@@ -822,7 +822,7 @@ function do_reset (the_form) {
 		}
 ?>
 <FORM NAME='can_Form' ACTION="main.php">
-<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>">
+<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>">
 </FORM>
 <SCRIPT LANGUAGE="Javascript">
 if (typeof window.innerWidth != 'undefined') {
  • patient_w.php+6 6 modified
    @@ -338,7 +338,7 @@ function set_signal(inval) {
 			$row = stripslashes_deep($result->fetch_assoc());
 			print "<FONT CLASS='header text_large'>Really delete " . $patient . " record '" . shorten($row['description'], 24) . "' ? </FONT><BR /><BR />";
 ?>
-			<FORM METHOD='post' NAME='delfrm' ACTION='patient_w.php?action=delete&id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&confirm=1'>
+			<FORM METHOD='post' NAME='delfrm' ACTION='patient_w.php?action=delete&id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&confirm=1'>
 			<SPAN ID='sub_but' CLASS='plain text' STYLE='width: 100px; float: none; display: inline-block;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.delfrm.submit();'><SPAN STYLE='float: left;'><?php print get_text('Yes');?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0 /></SPAN>
 			<SPAN ID='can_but' CLASS='plain text' STYLE='width: 100px; float: none; display: inline-block;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.close();'><SPAN STYLE='float: left;'><?php print get_text('Cancel');?></SPAN><IMG STYLE='float: right;' SRC='./images/cancel_small.png' BORDER=0 /></SPAN>
 			</FORM>
@@ -479,7 +479,7 @@ function set_signal(inval) {
 					<SPAN ID='reset_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='do_lock(document.patientEd); document.patientEd.reset();'><SPAN STYLE='float: left;'><?php print get_text("Reset");?></SPAN><IMG STYLE='float: right;' SRC='./images/restore_small.png' BORDER=0></SPAN>
 					<SPAN ID='sub_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.patientEd.submit();'><SPAN STYLE='float: left;'><?php print get_text("Next");?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0></SPAN>
 				</DIV>
-				<FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="<?php echo basename(__FILE__);?>?id=<?php print $_GET['id'];?>&ticket_id=<?php print $_GET['ticket_id'];?>&action=update">
+				<FORM METHOD='post' NAME='patientEd' onSubmit='return validate(document.patientEd);' ACTION="<?php echo basename(__FILE__);?>?id=<?php print intval($_GET['id']);?>&ticket_id=<?php print intval($_GET['ticket_id']);?>&action=update">
 				<TABLE BORDER="0" STYLE='margin-left: 20px; position: relative; top: 70px;'>
 					<TR CLASS='even' >
 						<TD CLASS='td_label text'><?php print get_text("Patient ID");?>: <font color='red' size='-1'>*</font></TD>
@@ -672,7 +672,7 @@ function to_edit(id) {
 		</script>
 
 		<FORM NAME = "list_form" METHOD = "get" ACTION = "<?php echo basename(__FILE__);?>">
-		<INPUT TYPE="hidden" NAME = "ticket_id" VALUE = "<?php echo $_GET['ticket_id'];?>">
+		<INPUT TYPE="hidden" NAME = "ticket_id" VALUE = "<?php echo intval($_GET['ticket_id']);?>">
 		<INPUT TYPE="hidden" NAME = "id" VALUE = "">
 		<INPUT TYPE="hidden" NAME = "action" VALUE = "edit">
 		</FORM>
@@ -752,7 +752,7 @@ function to_edit(id) {
 					<SPAN ID='reset_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='do_asof(document.patientAdd, false) reset();'><SPAN STYLE='float: left;'><?php print get_text("Reset");?></SPAN><IMG STYLE='float: right;' SRC='./images/restore_small.png' BORDER=0></SPAN>
 					<SPAN ID='sub_but' class='plain text' style='float: right; width: 100px;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='validate(document.patientAdd);'><SPAN STYLE='float: left;'><?php print get_text("Next");?></SPAN><IMG STYLE='float: right;' SRC='./images/submit_small.png' BORDER=0></SPAN>
 				</DIV>
-				<FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);'  ACTION="<?php echo basename(__FILE__);?>?ticket_id=<?php print $_GET['ticket_id'];?>&action=add">
+				<FORM METHOD="post" NAME='patientAdd' onSubmit='return validate(document.patientAdd);'  ACTION="<?php echo basename(__FILE__);?>?ticket_id=<?php print intval($_GET['ticket_id']);?>&action=add">
 				<TABLE BORDER="0" STYLE='margin-left: 20px; position: relative; top: 70px;'>
 					<TR CLASS='even' >
 						<TD CLASS='td_label text text'><?php print get_text("Patient ID");?>: <font color='red' size='-1'>*</font></TD>
@@ -908,9 +908,9 @@ function init() {
 </BODY>
 <FORM NAME='next_Form' METHOD='get' ACTION='<?php echo basename(__FILE__); ?>'>
 <INPUT TYPE='hidden' NAME='action' VALUE='list' />
-<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_GET['ticket_id'];?>' />
+<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_GET['ticket_id']);?>' />
 </FORM>
 <FORM NAME='can_Form' ACTION="main.php">
-<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>">
+<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>">
 </FORM>
 </HTML>
  • routes_i.php+4 4 modified
    @@ -235,19 +235,19 @@ function doReset() {
 			<DIV ID="directions" STYLE="width: <?php print get_variable('map_width');?>"></DIV>
 		</TD></TR></TABLE><!-- end outer -->
 	<FORM NAME='can_Form' ACTION="main.php">
-	<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>">
-	</FORM>	
+	<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print intval($_GET['ticket_id']);?>">
+	</FORM>
 	<FORM NAME='routes_Form' METHOD='post' ACTION="<?php print basename( __FILE__); ?>">
 	<INPUT TYPE='hidden' NAME='func' 			VALUE='do_db'>
-	<INPUT TYPE='hidden' NAME='frm_ticket_id' 	VALUE='<?php print $_GET['ticket_id']; ?>'>
+	<INPUT TYPE='hidden' NAME='frm_ticket_id' 	VALUE='<?php print intval($_GET['ticket_id']); ?>'>
 	<INPUT TYPE='hidden' NAME='frm_by_id' 		VALUE= "<?php print $_SESSION['user_id'];?>">
 	<INPUT TYPE='hidden' NAME='frm_id_str' 		VALUE= "">
 	<INPUT TYPE='hidden' NAME='frm_name_str' 	VALUE= "">
 	<INPUT TYPE='hidden' NAME='frm_status_id' 	VALUE= "1">
 	<INPUT TYPE='hidden' NAME='frm_comments' 	VALUE= "New">
 	</FORM>
 	<FORM NAME='reLoad_Form' METHOD = 'get' ACTION="<?php print basename( __FILE__); ?>">
-	<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print $_GET['ticket_id']; ?>'>
+	<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print intval($_GET['ticket_id']); ?>'>
 	</FORM>	
 	
 	</BODY>
  • routes_nm.php+6 6 modified
    @@ -844,7 +844,7 @@ function get_addr(){				// returns incident address
 								</TD>
 							</TR>
 						</TABLE>
-						<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print $_GET['ticket_id']; ?>' />
+						<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
 						<INPUT TYPE='hidden' NAME='unit_id' 	VALUE='<?php print $unit_id; ?>' />
 						</FORM>
 
@@ -893,15 +893,15 @@ function get_addr(){				// returns incident address
 		</DIV>
 	</DIV>
 	<FORM NAME='can_Form' ACTION="main.php">
-	<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print $_GET['ticket_id'];?>"/>	
+	<INPUT TYPE='hidden' NAME = 'id' VALUE = "<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8');?>"/>	
 	</FORM>	
 
 <?php
 	
 ?>
 	<FORM NAME='routes_Form' METHOD='post' ACTION="<?php print $theAction;?>">
 	<INPUT TYPE='hidden' NAME='func' 			VALUE='do_db' />
-	<INPUT TYPE='hidden' NAME='frm_ticket_id' 	VALUE='<?php print $_GET['ticket_id']; ?>' />
+	<INPUT TYPE='hidden' NAME='frm_ticket_id' 	VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
 	<INPUT TYPE='hidden' NAME='frm_by_id' 		VALUE= "<?php print $_SESSION['user_id'];?>" />
 	<INPUT TYPE='hidden' NAME='frm_id_str' 		VALUE= "" />
 	<INPUT TYPE='hidden' NAME='frm_name_str' 	VALUE= "" />
@@ -912,7 +912,7 @@ function get_addr(){				// returns incident address
 	<INPUT TYPE='hidden' NAME='frm_allow_dirs' 	VALUE = <?php print $_SESSION['allow_dirs']; ?> />	<!-- 11/21/09 -->
 	</FORM>
 	<FORM NAME='reLoad_Form' METHOD = 'get' ACTION="<?php print basename( __FILE__); ?>">
-	<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print $_GET['ticket_id']; ?>' />	<!-- 10/25/08 -->
+	<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />	<!-- 10/25/08 -->
 	</FORM>
 <?php
 	$user_level = is_super() ? 9999 : $_SESSION['user_id']; 
@@ -922,7 +922,7 @@ function get_addr(){				// returns incident address
 	$al_groups = $_SESSION['user_groups'];
 ?>				
 	<FORM NAME='reLoad_Form' METHOD = 'get' ACTION="<?php print basename( __FILE__); ?>">
-	<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print $_GET['ticket_id']; ?>' />	<!-- 10/25/08 -->
+	<INPUT TYPE='hidden' NAME='ticket_id' 	VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />	<!-- 10/25/08 -->
 	</FORM>
 
 	</BODY>
@@ -935,7 +935,7 @@ function get_addr(){				// returns incident address
 	function do_notify() {
 		var theAddresses = '<?php print implode("|", array_unique($addrs));?>';		// drop dupes
 		var theText= "ATTENTION - New Ticket: ";
-		var theId = '<?php print $_GET['ticket_id'];?>';
+		var theId = '<?php print intval($_GET['ticket_id']);?>';
 		
 //		var params = "frm_to="+ escape(theAddresses) + "&frm_text=" + escape(theText) + "&frm_ticket_id=" + escape(theId);		// ($to_str, $text, $ticket_id)   10/15/08
 		var params = "frm_to="+ theAddresses + "&frm_text=" + theText + "&frm_ticket_id=" + theId ;		// ($to_str, $text, $ticket_id)   10/15/08
  • search.php+1 1 modified
    @@ -349,7 +349,7 @@ function TrimString(sInString) {
 <TABLE CELLPADDING="2" BORDER="0" STYLE = 'margin-left:80px;'>
 	<TR CLASS = "even">
 		<TD VALIGN="top" CLASS="td_label text">Search for: &nbsp;</TD>
-		<TD CLASS='td_data text'><INPUT TYPE="text" SIZE="40" MAXLENGTH="255" VALUE="<?php print $post_frm_query;?>" NAME="frm_query"></TD>
+		<TD CLASS='td_data text'><INPUT TYPE="text" SIZE="40" MAXLENGTH="255" VALUE="<?php print htmlspecialchars($post_frm_query, ENT_QUOTES, 'UTF-8');?>" NAME="frm_query"></TD>
 	</TR>
 	<TR CLASS = "odd">
 		<TD VALIGN="top" CLASS="td_label text">In: &nbsp;</TD>
  • single.php+2 2 modified
    @@ -68,7 +68,7 @@
 <?php
 			if (!(is_guest())) {
 ?>
-				<SPAN id='edit_but' class='plain text' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="edit.php?id=<?php print $_GET['ticket_id'];?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN>
+				<SPAN id='edit_but' class='plain text' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="edit.php?id=<?php print intval($_GET['ticket_id']);?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN>
 <?php
 				}
 ?>
@@ -78,7 +78,7 @@
 			if (!(empty($row_ticket))) {								// 4/30/10
 				print do_ticket_wm($row_ticket, $the_width, FALSE, FALSE);
 				} else {
-				print "<CENTER><H3>No data for Ticket # {$_GET['ticket_id']} </H3>";
+				print "<CENTER><H3>No data for Ticket # " . htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8') . " </H3>";
 				}
 ?>
 		</DIV>
  • single_unit.php+1 1 modified
    @@ -54,7 +54,7 @@
 <?php
 			if (!(is_guest())) {
 ?>
-				<SPAN id='edit_but' class='plain' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="?func=responder&edit=true&id&id=<?php print $_GET['id'];?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN>
+				<SPAN id='edit_but' class='plain' style='float: right; vertical-align: middle; display: inline-block; width: 100px;;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='window.opener.parent.frames["main"].location="?func=responder&edit=true&id&id=<?php print intval($_GET['id']);?>";'><SPAN STYLE='float: left;'><?php print get_text("Edit");?></SPAN><IMG STYLE='float: right;' SRC='./images/edit_small.png' BORDER=0></SPAN>
 <?php
 				}
 ?>
  • street_view.php+2 2 modified
    @@ -37,8 +37,8 @@ function $() {									// 1/19/09
 	

 	

 	var myPano;

-	var lat = <?php print $_GET['thelat'];?>;

-	var lng =  <?php print $_GET['thelng'];?>;

+	var lat = <?php print floatval($_GET['thelat']);?>;

+	var lng =  <?php print floatval($_GET['thelng']);?>;

 	function do_the_view() {

 		var the_loc = new GLatLng(lat,lng);

 		panoramaOptions = { latlng:the_loc 	};
  • ticketsmdb_import.php+20 20 modified
    @@ -150,16 +150,16 @@ function ck_frames() {
 			</CENTER>

 		</DIV>

 		<FORM NAME='dodelete_Form' METHOD="post" ACTION = "ticketsmdb_import.php?mode=dodelete">

-		<INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print $_POST['mdbhost'];?>"/>

-		<INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print $_POST['mdbdb'];?>"/>

-		<INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print $_POST['mdbuser'];?>"/>

-		<INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print $_POST['mdbpassword'];?>" />

-		<INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print $_POST['mdbprefix'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print $_POST['ticketshost'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print $_POST['ticketsdb'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print $_POST['ticketsuser'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print $_POST['ticketspassword'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print $_POST['ticketsprefix'];?>" />

+		<INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print htmlspecialchars($_POST['mdbhost'], ENT_QUOTES, 'UTF-8');?>"/>

+		<INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print htmlspecialchars($_POST['mdbdb'], ENT_QUOTES, 'UTF-8');?>"/>

+		<INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print htmlspecialchars($_POST['mdbuser'], ENT_QUOTES, 'UTF-8');?>"/>

+		<INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print htmlspecialchars($_POST['mdbpassword'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print htmlspecialchars($_POST['mdbprefix'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>" />

 		</FORM>

 		<FORM NAME='nodelete_Form' METHOD="post" ACTION = "config.php"></FORM>

 <?php

@@ -319,16 +319,16 @@ function ck_frames() {
 		</CENTER>

 	</DIV>

 		<FORM NAME='go_Form' METHOD="post" ACTION = "ticketsmdb_import.php?mode=go">

-		<INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print $_POST['mdbhost'];?>"/>

-		<INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print $_POST['mdbdb'];?>"/>

-		<INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print $_POST['mdbuser'];?>"/>

-		<INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print $_POST['mdbpassword'];?>" />

-		<INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print $_POST['mdbprefix'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print $_POST['ticketshost'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print $_POST['ticketsdb'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print $_POST['ticketsuser'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print $_POST['ticketspassword'];?>" />

-		<INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print $_POST['ticketsprefix'];?>" />

+		<INPUT TYPE='hidden' NAME = 'mdbhost' VALUE="<?php print htmlspecialchars($_POST['mdbhost'], ENT_QUOTES, 'UTF-8');?>"/>

+		<INPUT TYPE='hidden' NAME = 'mdbdb' VALUE="<?php print htmlspecialchars($_POST['mdbdb'], ENT_QUOTES, 'UTF-8');?>"/>

+		<INPUT TYPE='hidden' NAME = 'mdbuser' VALUE="<?php print htmlspecialchars($_POST['mdbuser'], ENT_QUOTES, 'UTF-8');?>"/>

+		<INPUT TYPE='hidden' NAME = 'mdbpassword' VALUE="<?php print htmlspecialchars($_POST['mdbpassword'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'mdbprefix' VALUE="<?php print htmlspecialchars($_POST['mdbprefix'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketshost' VALUE="<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketsdb' VALUE="<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketsuser' VALUE="<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketspassword' VALUE="<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>" />

+		<INPUT TYPE='hidden' NAME = 'ticketsprefix' VALUE="<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>" />

 		</FORM>

 <?php

 	break;

Vulnerability mechanics

Root cause

"Missing input sanitization on GET parameters id and ticket_id in patient_w.php allows reflected cross-site scripting by embedding unsanitized values directly into HTML form action URLs."

Attack vector

An authenticated attacker crafts a URL containing a JavaScript payload in the `id` or `ticket_id` GET parameter, e.g. `patient_w.php?id=1&ticket_id="><script>alert(1)</script>`. When the victim (who must be logged in) visits this link, the server reflects the unsanitized value into the `ACTION` attribute of an HTML form and into hidden input fields. The browser renders the injected script, executing arbitrary JavaScript in the victim's session context. The attack requires no special privileges beyond authentication and can be delivered via email or other link-sharing vectors [patch_id=1260418].

Affected code

The vulnerability exists in `patient_w.php` where the `id` and `ticket_id` GET parameters are printed directly into HTML form `ACTION` URLs and hidden input `VALUE` attributes without sanitization. Six output locations are affected: the delete confirmation form action, the patient edit form action, the patient add form action, and three hidden input fields for `ticket_id` and `id` [patch_id=1260418].

What the fix does

The patch wraps `$_GET['id']` and `$_GET['ticket_id']` with `intval()` in all six output locations within `patient_w.php` [patch_id=1260418]. Because these parameters are expected to be numeric ticket or patient identifiers, `intval()` safely coerces any value to an integer, stripping any JavaScript or HTML payload. This prevents an attacker from injecting arbitrary strings into the HTML `ACTION` attribute of forms and into hidden `VALUE` attributes. The same strategy (using `intval()` for numeric IDs, `htmlspecialchars()` for string values, and `floatval()` for coordinates) was applied across 22 files to fix a total of 69 reflected XSS vulnerabilities discovered in a full codebase scan.

Preconditions

  • authAttacker must be an authenticated user of the Open ISES Tickets application.
  • inputVictim must be logged in and click a crafted link containing the malicious GET parameters.
  • networkNo special network position required; attack is delivered over HTTP/HTTPS.

Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.