CVE-2026-2545 identifies a cross-site scripting (XSS) vulnerability in LigeroSmart, a ticketing and customer support platform, affecting all versions up to 6.1.26. The vulnerability resides in the /otrs/index.pl script, specifically when handling the 'Profile' parameter in the AgentTicketSearch action. An attacker can craft malicious input to this parameter, which is then improperly sanitized or encoded, allowing the injection and execution of arbitrary JavaScript in the context of a legitimate user's browser session. This flaw is remotely exploitable without authentication, though it requires the victim to interact with a crafted link or page to trigger the payload. The vulnerability has been publicly disclosed with exploit code available, increasing the risk of exploitation. LigeroSmart developers have been notified but have not yet released a patch or official fix. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The impact primarily affects confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed via the victim's browser. Availability impact is minimal. The vulnerability is present across a wide range of versions, making many deployments susceptible. No mitigations or patches have been officially published, leaving organizations reliant on internal controls or temporary workarounds.

The primary impact of this XSS vulnerability is the potential compromise of user sessions and credentials, which can lead to unauthorized access to sensitive ticketing and customer support data. Attackers can leverage this to impersonate legitimate users, escalate privileges, or conduct further attacks such as phishing or malware distribution within the affected organization's network. Since LigeroSmart is often used in enterprise environments for managing support tickets and internal communications, exploitation could disrupt business operations and damage organizational reputation. The medium severity score reflects the moderate ease of exploitation combined with the need for user interaction. However, the public availability of exploit code increases the likelihood of opportunistic attacks. Organizations without timely mitigation may face data breaches, loss of customer trust, and compliance violations, especially in regulated industries. The lack of an official patch prolongs exposure and complicates risk management.

Given the absence of an official patch, organizations should implement immediate compensating controls. These include: 1) Applying strict input validation and sanitization on the 'Profile' parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads; 2) Implementing Content Security Policy (CSP) headers to restrict script execution and mitigate impact of injected scripts; 3) Restricting access to the /otrs/index.pl?Action=AgentTicketSearch endpoint to trusted internal networks or authenticated users only; 4) Educating users to avoid clicking suspicious links and reporting unusual application behavior; 5) Monitoring logs for unusual requests targeting the vulnerable parameter; 6) Planning and prioritizing upgrade or patch deployment once LigeroSmart releases a fix; 7) Considering temporary disabling or limiting the vulnerable functionality if feasible. These steps reduce attack surface and limit exploitation opportunities until a permanent fix is available.