{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tickets--3.44.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-48242"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tickets","Tickets \u003c 3.44.2"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-48242","hardcoded-credentials","database-access"],"_cs_type":"advisory","_cs_vendors":["Open ISES"],"content_html":"\u003cp\u003eOpen ISES Tickets, a web-based ticketing system, suffers from a critical vulnerability (CVE-2026-48242) affecting versions prior to 3.44.2. The vulnerability stems from hardcoded MySQL database connection credentials (host, username, password, database name) within the \u003ccode\u003eimport_mdb.php\u003c/code\u003e file. This file, and the credentials within it, were committed to the public code repository. As a result, anyone with access to the source code can potentially gain unauthorized access to the database server, leading to data breaches, modification, or complete system compromise. This exposure is particularly concerning given that deployed installations may be using the default, now-public, credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the Open ISES Tickets source code repository.\u003c/li\u003e\n\u003cli\u003eAttacker locates the \u003ccode\u003eimport_mdb.php\u003c/code\u003e file within the repository.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the hardcoded MySQL database connection credentials from \u003ccode\u003eimport_mdb.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker uses the obtained credentials to establish a connection to the MySQL database server.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the database server using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker executes arbitrary SQL queries to read sensitive data from the database.\u003c/li\u003e\n\u003cli\u003eAttacker may modify or delete data within the database, leading to data corruption or service disruption.\u003c/li\u003e\n\u003cli\u003eAttacker may escalate privileges within the database server and gain access to other systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48242 can lead to full compromise of the Open ISES Tickets system and its associated data. With a CVSS v3.1 score of 8.1, the vulnerability poses a significant risk. The exposure of database credentials allows attackers to read, modify, or delete sensitive information, potentially affecting all users of the ticketing system. The hardcoded nature of the credentials and public accessibility of the code repository significantly increase the likelihood of exploitation. The number of affected installations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Open ISES Tickets version 3.44.2 or later to remove the hardcoded credentials.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential database access attempts using default credentials.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eimport_mdb.php\u003c/code\u003e file in existing installations and verify that the credentials have been changed from the default values.\u003c/li\u003e\n\u003cli\u003eRotate database credentials for all Open ISES Tickets instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T18:21:14Z","date_published":"2026-05-21T18:21:14Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-credentials/","summary":"Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database connection credentials in import_mdb.php, allowing unauthorized database access.","title":"Open ISES Tickets Hardcoded Database Credentials Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-credentials/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-48241"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tickets \u003c 3.44.2"],"_cs_severities":["high"],"_cs_tags":["cve","hardcoded credentials","vulnerability","database"],"_cs_type":"advisory","_cs_vendors":["Open ISES"],"content_html":"\u003cp\u003eOpen ISES Tickets before version 3.44.2 is vulnerable to exposure of sensitive information via hardcoded credentials (CVE-2026-48241). The vulnerability exists in the \u003ccode\u003eloader.php\u003c/code\u003e file, a public-facing database utility where MySQL database credentials are hardcoded and committed to the source repository. An attacker with access to the public source tree (e.g., via public GitHub repository) or an unauthenticated attacker with read access to the file on a deployed installation can read the username, password, and database name. These credentials could be used to connect to the MySQL database if it is reachable from the attacker\u0026rsquo;s network, leading to potential data breaches or other unauthorized activities. This vulnerability affects versions prior to 3.44.2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the Open ISES Tickets source code repository or a deployed installation.\u003c/li\u003e\n\u003cli\u003eAttacker locates the \u003ccode\u003eloader.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eAttacker reads the \u003ccode\u003eloader.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the hardcoded MySQL database username, password, and database name from the file.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted credentials to attempt a connection to the MySQL database server.\u003c/li\u003e\n\u003cli\u003eIf the database server is reachable from the attacker\u0026rsquo;s network, the connection is established.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions on the database, such as data exfiltration, modification, or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain unauthorized access to the MySQL database used by Open ISES Tickets installations. This can lead to a full compromise of the data stored within the database, potentially including sensitive user information, ticket details, and other confidential data. The impact includes potential data breaches, financial loss due to regulatory fines, and reputational damage to the affected organization. The vulnerability affects all deployments of Open ISES Tickets prior to version 3.44.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Open ISES Tickets to version 3.44.2 or later to remediate CVE-2026-48241.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Open ISES Tickets loader.php Access\u003c/code\u003e to detect unauthorized access to the vulnerable file.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the MySQL database server and alert on connections from unexpected or unauthorized IP addresses.\u003c/li\u003e\n\u003cli\u003eReview access controls to the Open ISES Tickets source code repository and deployed installations to ensure only authorized personnel have access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T18:20:59Z","date_published":"2026-05-21T18:20:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-creds/","summary":"Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database credentials in loader.php, allowing an attacker with access to the source code or the file on a deployed installation to read the username, password, and database name and use them to connect to the database (CVE-2026-48241).","title":"Open ISES Tickets Hardcoded MySQL Credentials Vulnerability (CVE-2026-48241)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-creds/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-48238"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tickets \u003c 3.44.2"],"_cs_severities":["high"],"_cs_tags":["cve","sql-injection","web-application"],"_cs_type":"advisory","_cs_vendors":["Open ISES"],"content_html":"\u003cp\u003eOpen ISES Tickets before version 3.44.2 is susceptible to SQL injection in the ajax/mobile_main.php component. The vulnerability stems from the insecure handling of the \u003ccode\u003eid\u003c/code\u003e GET parameter. Specifically, this parameter is directly concatenated into the WHERE clause of a SELECT statement without proper sanitization or parameterization. This allows an authenticated attacker to manipulate the SQL query and potentially read, modify, or delete sensitive data within the database. This vulnerability was reported on 2026-05-21 and assigned CVE-2026-48238. Exploitation requires authentication, however, the impact can be significant, leading to data breaches or complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker identifies the vulnerable endpoint \u003ccode\u003eajax/mobile_main.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting \u003ccode\u003eajax/mobile_main.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes the \u003ccode\u003eid\u003c/code\u003e parameter with a SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe server-side application concatenates the unsanitized \u003ccode\u003eid\u003c/code\u003e parameter into the SQL query.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the database.\u003c/li\u003e\n\u003cli\u003eThe attacker can read sensitive data from the database by using \u003ccode\u003eUNION SELECT\u003c/code\u003e to extract data from other tables.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies data using \u003ccode\u003eUPDATE\u003c/code\u003e statements within the injected SQL.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially gain full control over the application data, leading to complete compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-48238) can allow an attacker to read, modify, or destroy data within the Open ISES Tickets database. This can lead to sensitive information disclosure, data corruption, or denial of service. Given a CVSS base score of 7.1, the risk is considerable, especially if the targeted Open ISES Tickets instance contains sensitive information or is critical to business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Open ISES Tickets to version 3.44.2 or later to patch the SQL injection vulnerability (CVE-2026-48238) as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SQL Injection Attempts in Open ISES Tickets\u003c/code\u003e to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious GET requests to \u003ccode\u003eajax/mobile_main.php\u003c/code\u003e containing SQL injection payloads, specifically looking for SQL keywords or syntax in the \u003ccode\u003eid\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T18:20:19Z","date_published":"2026-05-21T18:20:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-open-ises-tickets-sql-injection/","summary":"Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection (CVE-2026-48238) because the id GET parameter in ajax/mobile_main.php is concatenated into the WHERE clause of a SELECT statement without sanitization, allowing authenticated attackers to craft requests that can read, modify, or destroy database contents.","title":"Open ISES Tickets SQL Injection Vulnerability (CVE-2026-48238)","url":"https://feed.craftedsignal.io/briefs/2026-05-open-ises-tickets-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Tickets \u003c 3.44.2","version":"https://jsonfeed.org/version/1.1"}