First published: Fri Nov 17 2023(Updated: )
An issue was discovered in the captive portal in OpenNDS before version 10.1.3. get_query in http_microhttpd.c does not validate the length of the query string of GET requests. This leads to a stack-based buffer overflow in versions 9.x and earlier, and to a heap-based buffer overflow in versions 10.x and later. Attackers may exploit the issue to crash OpenNDS (Denial-of-Service condition) or to inject and execute arbitrary bytecode (Remote Code Execution).
|Affected Software||Affected Version||How to fix|
The severity of CVE-2023-41101 is critical with a CVSS score of 9.8.
To fix the vulnerability CVE-2023-41101, you need to update OpenNDS to version 10.1.3 or later.
The affected software for CVE-2023-41101 is OpenNDS version 9.x and earlier, and versions 10.x up to and including 10.1.2.
The CWE ID for CVE-2023-41101 is CWE-119 and CWE-787.
You can find more information about CVE-2023-41101 on the GitHub page of OpenNDS.