CVE-2023-38316
First published: Fri Nov 17 2023(Updated: )
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenNDS Captive Portal | <10.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-38316?
CVE-2023-38316 is a vulnerability discovered in OpenNDS Captive Portal before version 10.1.2.
How does CVE-2023-38316 affect the software?
CVE-2023-38316 allows attackers to execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests in OpenNDS Captive Portal before version 10.1.2.
What is the severity level of CVE-2023-38316?
CVE-2023-38316 has a severity level of critical, with a CVSS score of 9.8.
How can I mitigate CVE-2023-38316?
To mitigate CVE-2023-38316, it is recommended to update to version 10.1.2 or above of OpenNDS Captive Portal.
Where can I find more information about CVE-2023-38316?
You can find more information about CVE-2023-38316 in the OpenNDS Captive Portal release notes at the following link: https://github.com/openNDS/openNDS/releases/tag/v10.1.2
- agent/event
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/opennds
- canonical/opennds captive portal