An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
References
Configurations
History
21 Nov 2024, 08:13
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/openNDS/openNDS/releases/tag/v10.1.2 - Release Notes, Vendor Advisory | |
References | () https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80 - | |
References | () https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs - |
20 Jun 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3. |
23 Nov 2023, 03:35
Type | Values Removed | Values Added |
---|---|---|
First Time |
Opennds
Opennds captive Portal |
|
References | () https://github.com/openNDS/openNDS/releases/tag/v10.1.2 - Release Notes, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CWE | CWE-116 | |
CPE | cpe:2.3:a:opennds:captive_portal:*:*:*:*:*:*:*:* |
17 Nov 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-17 06:15
Updated : 2024-11-21 08:13
NVD link : CVE-2023-38316
Mitre link : CVE-2023-38316
CVE.ORG link : CVE-2023-38316
JSON object : View
Products Affected
opennds
- captive_portal
CWE
CWE-116
Improper Encoding or Escaping of Output