An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests.

Related CVEs

CVE-2023-38316

Key Information

GHSA ID

GHSA-857f-w8mj-5g2g

Published

November 17, 2023 6:31 AM

Last Modified

June 20, 2024 6:34 PM

CVSS Score

9.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: July 30, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.