Vendor CVEs
Openises
All CVEs
55 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-25404 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to… | ||
| CVE-2018-25403 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract… | ||
| CVE-2018-25402 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to… | ||
| CVE-2018-25401 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to… | ||
| CVE-2018-25400 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL… | ||
| CVE-2018-25399 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL… | ||
| CVE-2018-25398 | Hig | 0.53 | 8.2 | 0.00 | May 29, 2026 | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to… | ||
| CVE-2018-25408 | Hig | 0.49 | 7.5 | 0.01 | May 30, 2026 | The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename… | ||
| CVE-2026-48242 | Hig | 0.46 | 8.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid… | ||
| CVE-2026-48241 | Hig | 0.46 | 8.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the… | ||
| CVE-2026-48235 | Hig | 0.46 | 8.2 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are… | ||
| CVE-2026-48240 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers… | ||
| CVE-2026-48239 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests… | ||
| CVE-2026-48238 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft… | ||
| CVE-2026-48237 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that… | ||
| CVE-2026-48236 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an… | ||
| CVE-2026-48234 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that… | ||
| CVE-2026-48233 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics… | ||
| CVE-2026-48232 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query… | ||
| CVE-2026-48231 | Hig | 0.39 | 7.1 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization.… | ||
| CVE-2026-48249 | Med | 0.31 | 5.9 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An… | ||
| CVE-2026-48248 | Med | 0.31 | 5.9 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the login/authentication flow. An attacker… | ||
| CVE-2026-48247 | Med | 0.31 | 5.9 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the… | ||
| CVE-2026-48246 | Med | 0.31 | 5.9 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report… | ||
| CVE-2026-48230 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser,… | ||
| CVE-2026-48229 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input… | ||
| CVE-2026-48228 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form… | ||
| CVE-2026-48227 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action… | ||
| CVE-2026-48226 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden… | ||
| CVE-2026-48225 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value… | ||
| CVE-2026-48224 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input… | ||
| CVE-2026-48223 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden… | ||
| CVE-2026-48222 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input… | ||
| CVE-2026-48221 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden… | ||
| CVE-2026-48220 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input… | ||
| CVE-2026-48219 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input… | ||
| CVE-2026-48218 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_name and frm_id POST parameters directly into… | ||
| CVE-2026-48217 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag,… | ||
| CVE-2026-48216 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser,… | ||
| CVE-2026-48215 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value… | ||
| CVE-2026-48214 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value… | ||
| CVE-2026-48213 | Med | 0.28 | 5.4 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value… | ||
| CVE-2026-48245 | Med | 0.27 | 5.3 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original… | ||
| CVE-2026-48244 | Med | 0.27 | 5.3 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the… | ||
| CVE-2026-48243 | Med | 0.27 | 5.3 | 0.00 | May 21, 2026 | Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited… | ||
| CVE-2026-35016 | Med | 0.23 | 4.6 | 0.00 | May 20, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE… | ||
| CVE-2026-35015 | Med | 0.23 | 4.6 | 0.00 | May 20, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the the_ticket GET parameter directly into a JavaScript variable… | ||
| CVE-2026-35014 | Med | 0.23 | 4.6 | 0.00 | May 20, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field… | ||
| CVE-2026-35013 | Med | 0.23 | 4.6 | 0.00 | May 20, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript… | ||
| CVE-2026-35012 | Med | 0.23 | 4.6 | 0.00 | May 20, 2026 | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field… |
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to…
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract…
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to…
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to…
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL…
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL…
- risk 0.53cvss 8.2epss 0.00
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to…
- risk 0.49cvss 7.5epss 0.01
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename…
- risk 0.46cvss 8.1epss 0.00
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid…
- risk 0.46cvss 8.1epss 0.00
Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the…
- risk 0.46cvss 8.2epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query…
- risk 0.39cvss 7.1epss 0.00
Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization.…
- risk 0.31cvss 5.9epss 0.00
Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An…
- risk 0.31cvss 5.9epss 0.00
Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the login/authentication flow. An attacker…
- risk 0.31cvss 5.9epss 0.00
Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the…
- risk 0.31cvss 5.9epss 0.00
Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser,…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_name and frm_id POST parameters directly into…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag,…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser,…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value…
- risk 0.28cvss 5.4epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value…
- risk 0.27cvss 5.3epss 0.00
Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original…
- risk 0.27cvss 5.3epss 0.00
Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the…
- risk 0.27cvss 5.3epss 0.00
Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited…
- risk 0.23cvss 4.6epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE…
- risk 0.23cvss 4.6epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the the_ticket GET parameter directly into a JavaScript variable…
- risk 0.23cvss 4.6epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field…
- risk 0.23cvss 4.6epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript…
- risk 0.23cvss 4.6epss 0.00
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field…
Page 1 of 2