CVE-2025-65235

CVE-2025-65235 affects OpenCode Systems USSD Gateway OC Release: 5, Version 6.13.11, with a SQL injection in the ID parameter of the getSubUsersByProvider function. Connected sources (Red Hat, EU ENISA, NVD/CVE records, CNNVD) corroborate a SQL injection vulnerability in this release. The CVSSv3....

CVE-2025-70614

The CVE-2025-70614 entry applies to OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2. The vulnerability is due to broken access control in the web-based control panel, allowing an authenticated low-privileged user to access arbitrary SMS messages by tampering with a company or tenan...

CVE-2025-65236

CVE-2025-65236 affects OpenCode Systems USSD Gateway OC Release 5. The issue is a SQL injection via the Session ID parameter in the endpoint /occontrolpanel/index.php . CVSS v3.1 base score is 9.8 (CRITICAL) with network attack vector, no user interaction, and no privileges required; impacts incl...

CVE-2025-65237

OpenCode Systems USSD Gateway OC Release 5 is affected by a reflected XSS vulnerability that lets an attacker inject arbitrary JavaScript into a user’s browser by sending a crafted payload. The issue is documented across multiple sources (e.g., Red Hat CVE entry and NVD) with a CVSSv3.1 base scor...

CVE-2025-65238

OpenCode Systems USSD Gateway OC is affected by CVE-2025-65238. The issue is an incorrect access control in the getSubUsersByProvider function, in OC Release 5 Version 6.13.11, which could allow attackers with low privileges to dump user records and access sensitive information. The available con...

CVE-2025-65239

CVE-2025-65239 affects OpenCode Systems USSD Gateway OC Release:5 (version 6.13.11). The /aux1/ocussd/trace endpoint has incorrect access control, enabling attackers with low privileges to read server logs. Reported CVSSv3.1 base score is 4.3 (MEDIUM), with network access, low privileges required...