CVE-2024-55494 is a PHP code injection vulnerability identified in Opencode Mobile Collect Call version 5.4.7, specifically within the /occontrolpanel/index.php script. The vulnerability arises from improper sanitization of the op_func parameter, which allows an attacker to inject crafted payloads containing arbitrary web scripts or HTML. This injection can lead to remote code execution (RCE), enabling attackers to execute arbitrary commands on the server, and cross-site scripting (XSS), which can be used to hijack user sessions or deliver malicious scripts to users. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), such as a victim clicking a malicious link. The attack vector is network-based (AV:N), meaning it can be exploited remotely over the internet. The vulnerability scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The CVSS v3.1 base score is 6.1, reflecting medium severity, with low confidentiality and integrity impacts and no availability impact. No patches or official fixes have been released at the time of publication, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation, aka Cross-site Scripting). This flaw poses a significant risk to organizations running this specific version of Opencode Mobile Collect Call, especially if the vulnerable endpoint is exposed to untrusted networks or users.

The primary impact of CVE-2024-55494 is the potential for attackers to execute arbitrary code on affected servers, which can lead to unauthorized access, data leakage, or further compromise of internal systems. The XSS component can facilitate session hijacking, phishing, or distribution of malware to users interacting with the vulnerable web interface. Although the vulnerability does not directly impact availability, successful exploitation could allow attackers to pivot within the network or escalate privileges. Organizations relying on Opencode Mobile Collect Call for telephony or call management services may face operational disruptions and reputational damage if exploited. The lack of authentication requirement increases the risk of exploitation, especially in environments where the vulnerable endpoint is publicly accessible. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

1. Immediately restrict access to the /occontrolpanel/index.php endpoint, limiting it to trusted internal networks or VPN users only. 2. Implement strict input validation and sanitization on the op_func parameter to reject or neutralize malicious payloads. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the vulnerable parameter. 4. Monitor web server logs and application logs for unusual or malformed requests to the vulnerable endpoint. 5. If possible, disable or remove unnecessary features or modules related to op_func to reduce the attack surface. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability and apply them promptly once available. 7. Educate users about the risks of clicking unknown or suspicious links that could trigger the vulnerability. 8. Conduct regular security assessments and penetration tests focusing on web application inputs and injection flaws.