VU#887923: Kiwire Captive Port... Note

VU#887923: Kiwire Captive Portal contains 3 web vulnerabilities

The Kiwire Captive Portal, a guest Wi-Fi solution by SynchroWeb, has three critical vulnerabilities. These include SQL injection in the nas-id parameter, allowing database compromise. An open redirection vulnerability exists in the login-url parameter, enabling redirection to malicious sites. Additionally, a reflected cross-site scripting (XSS) vulnerability is present in the login-url parameter, permitting JavaScript execution. The SQL injection vulnerability, CVE-2025-11188, allows attackers to exfiltrate sensitive data from the database. CVE-2025-11190, the open redirection, can lure users to attacker-controlled websites. CVE-2025-11189, the XSS vulnerability, allows JavaScript to execute on devices attempting to log in. The vendor has addressed all three vulnerabilities. Users of affected Kiwire Captive Portal versions are strongly advised to update to the latest version. A security advisory is available on the SynchroWeb website. SynchroWeb will also contact affected users to assist with patching.