cbcvebase.
CVE-2023-38316
published 2023-11-17

CVE-2023-38316: An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.08%
61.0th percentile
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianopennds< opennds 10.2.0+dfsg-1 (forky)opennds 10.2.0+dfsg-1 (forky)
openndscaptive_portal< 10.1.210.1.2
openndsopennds>= 0 < 10.2.0+dfsg-110.2.0+dfsg-1
openndsopennds>= 0 < 10.2.0+dfsg-110.2.0+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector targets the URL portion of HTTP GET requests when the custom unescape callback is enabled in OpenNDS Captive Portal; monitor for OS command injection patterns (e.g., shell metacharacters) embedded in GET request URLs directed at the OpenNDS captive portal service.
  • ·The vulnerability is only exploitable when the 'custom unescape callback' feature is explicitly enabled in OpenNDS configuration. Deployments with this callback disabled are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.