CVE-2023-38313

Name of the Vulnerable Software and Affected Versions OpenNDS Captive Portal versions prior to 10.1.2

Description An issue in OpenNDS Captive Portal can be triggered with a crafted GET HTTP request with a missing client redirect query string parameter, resulting in a NULL pointer dereference. This can cause OpenNDS to crash, leading to a Denial-of-Service condition. The issue occurs during client authentication and can only be triggered when the BinAuth option is set.

Recommendations For OpenNDS Captive Portal versions prior to 10.1.2, update to version 10.1.3 to resolve the issue. As a temporary workaround, consider disabling the BinAuth option until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the client redirect parameter in the affected API endpoint until the issue is resolved.