CVE-2026-35013 Overview
CVE-2026-35013 is a reflected cross-site scripting (XSS) vulnerability in Open ISES Tickets versions prior to 3.44.2. The flaw resides in street_view.php, which passes the thelat and thelng GET parameters directly into JavaScript variable assignments without sanitization. Authenticated attackers can craft a malicious URL containing a JavaScript payload in either parameter. When a victim visits the URL, the payload executes in the victim's browser session. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in a victim's browser, enabling session theft, UI manipulation, and actions performed as the authenticated user.
Affected Products
- Open ISES Tickets versions prior to 3.44.2
- The street_view.php component
- Deployments exposing the thelat and thelng GET parameters
Discovery Timeline
- 2026-05-20 - CVE-2026-35013 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-35013
Vulnerability Analysis
The vulnerability exists in street_view.php, a server-side PHP component within Open ISES Tickets. The script accepts the thelat and thelng GET parameters, which are intended to carry latitude and longitude coordinates. Instead of validating or encoding these values, the application embeds them directly into JavaScript variable assignments in the rendered page.
Because the parameters are reflected into a JavaScript context without output encoding, an attacker can break out of the variable assignment and inject arbitrary script. The payload executes in the security context of the Open ISES Tickets application. Exploitation requires user interaction: the victim must click or load the attacker-crafted URL. Attackers can use this to steal cookies, hijack ticketing sessions, modify the DOM, or pivot to further actions allowed by the authenticated user.
Root Cause
The root cause is missing input sanitization and output encoding around user-controlled GET parameters used inside JavaScript. The application treats thelat and thelng as trusted numeric values but performs no validation against a numeric type or character allowlist. This permits arbitrary characters, including quotes, semicolons, and script tags, to flow into JavaScript source. The fix landed in commit ecfeb40 and is included in release v3.44.2.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker authenticated to the Open ISES Tickets instance crafts a URL targeting street_view.php with a malicious JavaScript payload supplied in the thelat or thelng parameter. The attacker delivers the URL through phishing, chat, or another social channel. When an authenticated victim follows the link, the server reflects the payload into the response and the browser executes it. Details are documented in the VulnCheck Advisory on XSS.
No public exploit code or proof-of-concept artifacts are referenced beyond the advisory. The vulnerability mechanism is reflected XSS through unsanitized GET parameters embedded in inline JavaScript.
Detection Methods for CVE-2026-35013
Indicators of Compromise
- Web server access logs showing GET requests to street_view.php containing suspicious characters in thelat or thelng, such as <, >, ", ', ;, or script
- Referrer headers pointing to untrusted external domains preceding access to street_view.php
- Unexpected outbound requests from user browsers immediately after loading street_view.php
Detection Strategies
- Inspect HTTP logs for thelat or thelng values that do not match a strict numeric latitude/longitude pattern
- Deploy a web application firewall rule that blocks reflected XSS patterns on street_view.php query parameters
- Correlate authenticated user sessions with anomalous JavaScript execution or cookie access events in browser telemetry
Monitoring Recommendations
- Enable verbose access logging on the Open ISES Tickets web server and retain logs centrally for review
- Alert on requests to street_view.php containing URL-encoded angle brackets or JavaScript keywords
- Monitor for sudden spikes in traffic to street_view.php from a small set of source IPs or referrers, indicating targeted link delivery
How to Mitigate CVE-2026-35013
Immediate Actions Required
- Upgrade Open ISES Tickets to version 3.44.2 or later as published in the GitHub Release v3.44.2
- Audit existing web server logs for prior exploitation attempts against street_view.php
- Rotate session tokens and cookies for users who may have followed suspicious links to the affected endpoint
Patch Information
The vendor remediated the issue in commit ecfeb406a016766cae81c749e14b5145a9f2dbff, included in release v3.44.2. The patch applies input handling to the thelat and thelng parameters before they are written into JavaScript context. Review the change in the GitHub Commit Update.
Workarounds
- Restrict access to street_view.php through web server configuration until the patch is applied
- Apply a WAF rule that rejects non-numeric values in the thelat and thelng parameters
- Enforce a strict Content Security Policy that disallows inline script execution to reduce XSS impact
# Example nginx rule rejecting non-numeric thelat/thelng values
location = /street_view.php {
if ($arg_thelat !~* "^-?[0-9]+(\.[0-9]+)?$") { return 400; }
if ($arg_thelng !~* "^-?[0-9]+(\.[0-9]+)?$") { return 400; }
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
