VYPR

Open ISES Tickets

by Openises

Source repositories

CVEs (20)

  • CVE-2018-25404HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to…

  • CVE-2018-25403HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract…

  • CVE-2018-25402HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to…

  • CVE-2018-25401HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to…

  • CVE-2018-25400HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL…

  • CVE-2018-25399HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL…

  • CVE-2018-25398HigMay 29, 2026
    risk 0.53cvss 8.2epss 0.00

    The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to…

  • CVE-2018-25408HigMay 30, 2026
    risk 0.49cvss 7.5epss 0.01

    The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename…

  • CVE-2026-48235HigMay 21, 2026
    risk 0.46cvss 8.2epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are…

  • CVE-2026-48237HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that…

  • CVE-2026-48233HigMay 21, 2026
    risk 0.39cvss 7.1epss 0.00

    Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics…

  • CVE-2026-48247MedMay 21, 2026
    risk 0.31cvss 5.9epss 0.00

    Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the…

  • CVE-2026-48224MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input…

  • CVE-2026-48218MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_name and frm_id POST parameters directly into…

  • CVE-2026-48216MedMay 21, 2026
    risk 0.28cvss 5.4epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser,…

  • CVE-2026-48245MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original…

  • CVE-2026-48243MedMay 21, 2026
    risk 0.27cvss 5.3epss 0.00

    Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited…

  • CVE-2026-35013MedMay 20, 2026
    risk 0.23cvss 4.6epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript…

  • CVE-2026-35009MedMay 20, 2026
    risk 0.23cvss 4.6epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE…

  • CVE-2026-35008MedMay 20, 2026
    risk 0.23cvss 4.6epss 0.00

    Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers…