https://feed.craftedsignal.io/vendors/open-ises/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 21 May 2026 18:21:14 +0000https://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-credentials/Thu, 21 May 2026 18:21:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-credentials/Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database connection credentials in import_mdb.php, allowing unauthorized database access.Open ISES Tickets, a web-based ticketing system, suffers from a critical vulnerability (CVE-2026-48242) affecting versions prior to 3.44.2. The vulnerability stems from hardcoded MySQL database connection credentials (host, username, password, database name) within the import_mdb.php file. This file, and the credentials within it, were committed to the public code repository. As a result, anyone with access to the source code can potentially gain unauthorized access to the database server, leading to data breaches, modification, or complete system compromise. This exposure is particularly concerning given that deployed installations may be using the default, now-public, credentials.

Attack Chain

1. Attacker gains access to the Open ISES Tickets source code repository.
2. Attacker locates the import_mdb.php file within the repository.
3. Attacker extracts the hardcoded MySQL database connection credentials from import_mdb.php.
4. Attacker uses the obtained credentials to establish a connection to the MySQL database server.
5. Attacker authenticates to the database server using the compromised credentials.
6. Attacker executes arbitrary SQL queries to read sensitive data from the database.
7. Attacker may modify or delete data within the database, leading to data corruption or service disruption.
8. Attacker may escalate privileges within the database server and gain access to other systems or data.

Impact

Successful exploitation of CVE-2026-48242 can lead to full compromise of the Open ISES Tickets system and its associated data. With a CVSS v3.1 score of 8.1, the vulnerability poses a significant risk. The exposure of database credentials allows attackers to read, modify, or delete sensitive information, potentially affecting all users of the ticketing system. The hardcoded nature of the credentials and public accessibility of the code repository significantly increase the likelihood of exploitation. The number of affected installations is currently unknown.

Recommendation

• Upgrade to Open ISES Tickets version 3.44.2 or later to remove the hardcoded credentials.
• Deploy the Sigma rule to detect potential database access attempts using default credentials.
• Review the import_mdb.php file in existing installations and verify that the credentials have been changed from the default values.
• Rotate database credentials for all Open ISES Tickets instances.

]]>mediumadvisorycve-2026-48242hardcoded-credentialsdatabase-accesshttps://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-creds/Thu, 21 May 2026 18:20:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-ises-hardcoded-creds/Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database credentials in loader.php, allowing an attacker with access to the source code or the file on a deployed installation to read the username, password, and database name and use them to connect to the database (CVE-2026-48241).Open ISES Tickets before version 3.44.2 is vulnerable to exposure of sensitive information via hardcoded credentials (CVE-2026-48241). The vulnerability exists in the loader.php file, a public-facing database utility where MySQL database credentials are hardcoded and committed to the source repository. An attacker with access to the public source tree (e.g., via public GitHub repository) or an unauthenticated attacker with read access to the file on a deployed installation can read the username, password, and database name. These credentials could be used to connect to the MySQL database if it is reachable from the attacker’s network, leading to potential data breaches or other unauthorized activities. This vulnerability affects versions prior to 3.44.2.

Attack Chain

1. Attacker gains access to the Open ISES Tickets source code repository or a deployed installation.
2. Attacker locates the loader.php file.
3. Attacker reads the loader.php file.
4. Attacker extracts the hardcoded MySQL database username, password, and database name from the file.
5. Attacker uses the extracted credentials to attempt a connection to the MySQL database server.
6. If the database server is reachable from the attacker’s network, the connection is established.
7. Attacker performs unauthorized actions on the database, such as data exfiltration, modification, or deletion.

Impact

Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to the MySQL database used by Open ISES Tickets installations. This can lead to a full compromise of the data stored within the database, potentially including sensitive user information, ticket details, and other confidential data. The impact includes potential data breaches, financial loss due to regulatory fines, and reputational damage to the affected organization. The vulnerability affects all deployments of Open ISES Tickets prior to version 3.44.2.

Recommendation

• Upgrade Open ISES Tickets to version 3.44.2 or later to remediate CVE-2026-48241.
• Implement the Sigma rule Detect Open ISES Tickets loader.php Access to detect unauthorized access to the vulnerable file.
• Monitor network connections to the MySQL database server and alert on connections from unexpected or unauthorized IP addresses.
• Review access controls to the Open ISES Tickets source code repository and deployed installations to ensure only authorized personnel have access.

]]>highadvisorycvehardcoded credentialsvulnerabilitydatabasehttps://feed.craftedsignal.io/briefs/2026-05-open-ises-sql-injection/Thu, 21 May 2026 18:20:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-ises-sql-injection/Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection in ajax/statistics.php via the tick_id and f_tick_id POST parameters, allowing authenticated attackers to manipulate SQL queries and potentially read, modify, or destroy database contents.Open ISES Tickets before version 3.44.2 is susceptible to a SQL injection vulnerability (CVE-2026-48240) within the ajax/statistics.php script. The vulnerability stems from the improper sanitization of the tick_id and f_tick_id POST parameters. These parameters are directly concatenated into the WHERE clauses of SELECT statements used in statistics rollup queries. An authenticated attacker can exploit this flaw by crafting malicious requests that alter the query’s intended semantics, potentially enabling the unauthorized reading, modification, or deletion of sensitive data stored within the database. This issue was reported by VulnCheck and has a CVSS v3.1 base score of 7.1.

Attack Chain

1. Attacker authenticates to the Open ISES Tickets application with valid credentials.
2. Attacker crafts a malicious HTTP POST request targeting ajax/statistics.php.
3. The POST request includes the tick_id or f_tick_id parameter containing a SQL injection payload.
4. The application unsafely concatenates the attacker-controlled parameters into the SQL query’s WHERE clause.
5. The malicious SQL query executes against the database, potentially altering data selection, modification, or deletion.
6. The application returns a potentially modified or erroneous statistics rollup result based on the injected SQL.
7. Attacker analyzes the response to refine and escalate the SQL injection attack.
8. Attacker leverages the successful SQL injection to read sensitive database contents or perform unauthorized data manipulation, potentially compromising the entire application.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-48240) could allow an attacker to read sensitive information from the Open ISES Tickets database, potentially including user credentials, ticket details, and other confidential data. The attacker may also be able to modify or delete data, leading to data corruption or denial of service. Given the high CVSS score of 7.1, this vulnerability poses a significant risk to the confidentiality and integrity of the application and its data.

Recommendation

• Upgrade Open ISES Tickets to version 3.44.2 or later to patch CVE-2026-48240 (see References).
• Deploy the Sigma rules provided below to detect potential exploitation attempts targeting the vulnerable ajax/statistics.php endpoint.
• Implement input validation and sanitization for the tick_id and f_tick_id POST parameters in ajax/statistics.php to prevent SQL injection attacks.
• Review and restrict database access privileges for the Open ISES Tickets application to minimize the impact of successful SQL injection attacks.

]]>highadvisorysql-injectioncve-2026-48240web-applicationhttps://feed.craftedsignal.io/briefs/2026-05-open-ises-tickets-sql-injection/Thu, 21 May 2026 18:20:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-open-ises-tickets-sql-injection/Open ISES Tickets before version 3.44.2 is vulnerable to SQL injection (CVE-2026-48238) because the id GET parameter in ajax/mobile_main.php is concatenated into the WHERE clause of a SELECT statement without sanitization, allowing authenticated attackers to craft requests that can read, modify, or destroy database contents.Open ISES Tickets before version 3.44.2 is susceptible to SQL injection in the ajax/mobile_main.php component. The vulnerability stems from the insecure handling of the id GET parameter. Specifically, this parameter is directly concatenated into the WHERE clause of a SELECT statement without proper sanitization or parameterization. This allows an authenticated attacker to manipulate the SQL query and potentially read, modify, or delete sensitive data within the database. This vulnerability was reported on 2026-05-21 and assigned CVE-2026-48238. Exploitation requires authentication, however, the impact can be significant, leading to data breaches or complete system compromise.

Attack Chain

1. An authenticated attacker identifies the vulnerable endpoint ajax/mobile_main.php.
2. The attacker crafts a malicious HTTP GET request targeting ajax/mobile_main.php.
3. The crafted GET request includes the id parameter with a SQL injection payload.
4. The server-side application concatenates the unsanitized id parameter into the SQL query.
5. The malicious SQL query is executed against the database.
6. The attacker can read sensitive data from the database by using UNION SELECT to extract data from other tables.
7. Alternatively, the attacker modifies data using UPDATE statements within the injected SQL.
8. The attacker can potentially gain full control over the application data, leading to complete compromise.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-48238) can allow an attacker to read, modify, or destroy data within the Open ISES Tickets database. This can lead to sensitive information disclosure, data corruption, or denial of service. Given a CVSS base score of 7.1, the risk is considerable, especially if the targeted Open ISES Tickets instance contains sensitive information or is critical to business operations.

Recommendation

• Upgrade Open ISES Tickets to version 3.44.2 or later to patch the SQL injection vulnerability (CVE-2026-48238) as recommended by the vendor.
• Deploy the Sigma rule Detect SQL Injection Attempts in Open ISES Tickets to detect exploitation attempts targeting the vulnerable endpoint.
• Monitor web server logs for suspicious GET requests to ajax/mobile_main.php containing SQL injection payloads, specifically looking for SQL keywords or syntax in the id parameter.

]]>highadvisorycvesql-injectionweb-application