First published: Fri Nov 17 2023(Updated: )
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a NULL pointer dereference in preauthenticated() that can be triggered with a crafted GET HTTP request with a missing redirect query string parameter. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition).
|Affected Software||Affected Version||How to fix|
|OpenNDS Captive Portal||<10.1.2|
CVE-2023-38314 is a vulnerability in OpenNDS Captive Portal before version 10.1.2 that allows for a NULL pointer dereference in the preauthenticated() function.
The severity of CVE-2023-38314 is medium with a CVSS score of 6.5.
CVE-2023-38314 affects OpenNDS Captive Portal version prior to 10.1.2.
CVE-2023-38314 can be exploited by sending a crafted GET HTTP request with a missing redirect query string parameter to trigger a NULL pointer dereference in the preauthenticated() function, resulting in a denial-of-service (DoS) condition.
To fix CVE-2023-38314, it is recommended to upgrade OpenNDS Captive Portal to version 10.1.2 or later.