Today > 2 Critical | 5 High | 12 Medium | 1 Low vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-53276

Dec. 24, 2024, 2:15 a.m.

CVSS Score

6.1 / 10

Product(s) Impacted

Home-Gallery.org

  • 1.15.0 and earlier

Description

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings. The following express middleware allows any website to make a cross site request to home-gallery, thus allowing them to read any endpoint on home-gallery. Home-gallery is mostly safe from cross-site requests due to most of its pages requiring JavaScript, and cross-site requests such as fetch() do not render javascript. If an attacker is able to get the path of the preview images which are randomized, an attacker will be able to view such a photo. If any static files or endpoints are introduced in the future that contain sensitive information, they will be accessible to an attacker website.

Weaknesses

CWE-942
Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

CWE ID: 942

Date

Published: Dec. 23, 2024, 6:15 p.m.

Last Modified: Dec. 24, 2024, 2:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score
6.1
Exploitability Score
2.8
Impact Score
2.7
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

https://github.com/ security-advisories@github.com

https://securitylab.github.com/ security-advisories@github.com