CVE-2024-42364

Name of the Vulnerable Software and Affected Versions Homepage version 0.9.1

Description The default setup of Homepage is vulnerable to DNS rebinding due to the lack of certificate and authentication. An attacker can exploit this by changing the DNS records of their domain to the internal IP address of the Homepage instance, allowing them to extract private information such as API keys and other sensitive data. The attack involves the attacker's website changing its DNS records to the internal IP address of the Homepage instance, and then fetching the attacker's domain, which responds with the Homepage instance's data.

Recommendations For version 0.9.1, update to a newer version as soon as it becomes available, as the current version is vulnerable to DNS rebinding. As a temporary workaround, consider setting up certificate and authentication for the Homepage instance to prevent DNS rebinding attacks. Restrict access to the Homepage instance to minimize the risk of exploitation until a patch is available.