CVE-2024-52882 in One Voice Operations Centerinfo

Summary

by MITRE • 02/07/2025

An issue was discovered in AudioCodes One Voice Operations Center (OVOC) before 8.4.582. Due to improper neutralization of input via the devices API, an attacker can inject malicious JavaScript code (XSS) to attack logged-in administrator sessions.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/01/2025

The vulnerability identified as CVE-2024-52882 affects the AudioCodes One Voice Operations Center (OVOC) platform version 8.4.582 and earlier. This security flaw resides within the devices API component of the system, representing a critical weakness that enables unauthorized code execution against administrative sessions. The issue stems from insufficient input validation and sanitization mechanisms that fail to properly neutralize potentially malicious data submitted through the API interface.

This vulnerability constitutes a cross-site scripting attack vector that specifically targets authenticated administrator sessions within the OVOC environment. The improper neutralization of input allows attackers to inject malicious JavaScript payloads that can execute within the context of the administrator's browser session. When administrators interact with the affected API endpoints, their sessions become compromised, potentially enabling full administrative control over the voice operations center infrastructure. The attack requires minimal privileges as it targets existing logged-in administrator sessions rather than requiring initial authentication.

The operational impact of this vulnerability extends beyond simple session hijacking, as it can enable attackers to perform privileged actions within the OVOC system. Attackers could potentially manipulate voice routing configurations, modify user access controls, access sensitive telephony data, or execute arbitrary commands within the platform. The vulnerability affects the integrity and confidentiality of the entire voice operations environment, potentially disrupting critical communication services and exposing sensitive business data to unauthorized access. Organizations relying on AudioCodes OVOC for mission-critical voice infrastructure face significant risk from this flaw.

From a cybersecurity framework perspective, this vulnerability maps directly to CWE-79 Cross-site Scripting and aligns with ATT&CK technique T1566.001 for initial access through malicious web content. The flaw demonstrates poor input validation practices and inadequate output encoding mechanisms that are fundamental to preventing XSS attacks. Organizations should immediately implement the vendor-provided patch for OVOC version 8.4.582 or later to address this vulnerability. Additional mitigations include implementing web application firewalls, monitoring API traffic for suspicious JavaScript payloads, and conducting thorough security assessments of the platform's input handling mechanisms. Regular security updates and vulnerability management processes should be prioritized to prevent similar issues in other components of the voice operations infrastructure.

Responsible

MITRE

Reservation

11/17/2024

Disclosure

02/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00217

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!