First published: Fri Nov 17 2023(Updated: )
An issue was discovered in OpenNDS Captive Portal before 10.1.2. it has a do_binauth NULL pointer dereference that can be triggered with a crafted GET HTTP request with a missing client redirect query string parameter. Triggering this issue results in crashing openNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.
|Affected Software||Affected Version||How to fix|
|OpenNDS Captive Portal||<10.1.2|
The vulnerability ID is CVE-2023-38313.
The severity of CVE-2023-38313 is high, with a severity value of 7.5.
The affected software is OpenNDS Captive Portal version up to exclusive 10.1.2.
The vulnerability can be triggered by a crafted GET HTTP request with a missing client redirect query string parameter.
The vulnerability can result in crashing OpenNDS, causing a Denial-of-Service condition.