CVE-2024-55494

Name of the Vulnerable Software and Affected Versions Opencode Mobile Collect Call version 5.4.7

Description The issue allows attackers to execute arbitrary web scripts or HTML, potentially leading to Remote Code Execution (RCE) and cross-site scripting (XSS). This can be achieved by injecting a crafted payload into the op func parameter at the "/occontrolpanel/index.php" API endpoint.

Recommendations For Opencode Mobile Collect Call version 5.4.7, consider restricting access to the /occontrolpanel/index.php API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the op func parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.