PT-2023-26356 · Unknown+1 · Opennds Captive Portal+1
Bluewavenet
·
Publicado
2023-11-17
·
Atualizado
2024-06-20
·
CVE-2023-38316
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenNDS Captive Portal versions prior to 10.1.2
OpenNDS Captive Portal version 10.1.2 is not affected, as the issue is fixed in version 10.1.3.
Description
An issue was discovered in OpenNDS Captive Portal. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests.
Recommendations
For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 to resolve the issue.
As a temporary workaround, consider disabling the custom unescape callback until a patch is available.
Correção
Improper Encoding or Escaping of Output
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Debian
Opennds Captive Portal