CVE-2024-53275

Name of the Vulnerable Software and Affected Versions Home-Gallery.org versions 1.15.0 and earlier

Description The default setup of Home-Gallery.org is vulnerable to DNS rebinding due to the lack of TLS and user authentication. An attacker can exploit this by changing the DNS records of their domain to the internal IP address of the Home-Gallery instance, allowing them to extract photos from the gallery. The attack involves the attacker website changing its DNS records to the internal IP address of the Home-Gallery instance, and then reading the response of the web server after the IP address has changed. The response will be from the Home-Gallery instance, not the attacker website, because the IP address has been changed.

Recommendations For versions 1.15.0 and earlier, consider enabling TLS and user authentication to prevent DNS rebinding attacks. As a temporary workaround, restrict access to the Home-Gallery instance to minimize the risk of exploitation. Avoid using the default setup without proper security configurations until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.