🛡️ CVE-2024-53275
⚪ Unknown ✅ No Known Exploit CWE-350 NVD
N/A
CVSS Score
0 Low4 Medium7 High9 Critical10

Description

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, the default setup of home-gallery is vulnerable to DNS rebinding. Home-gallery is set up without TLS and user authentication by default, leaving it vulnerable to DNS rebinding. In this attack, an attacker will ask a user to visit their website. The attacker website will then change the DNS records of their domain from their IP address to the internal IP address of the home-gallery instance. To tell which IP addresses are valid, we can rebind a subdomain to each IP address we want to check, and see if there is a response. Once potential candidates have been found, the attacker can launch the attack by reading the response of the web server after the IP address has changed. When the attacker domain is fetched, the response will be from the home-gallery instance, not the attacker website, because the IP address has been changed. Due to a lack of authentication, home-gallery photos can then be extracted by the attacker website.

Details

Severity Unknown
CVSS Score N/A
CVSS Vector N/A
CWE CWE-350
Public Exploit ✅ No
Source NVD
Published 2024-12-23
Updated 2026-06-02
Modified 2026-04-15
Fix URL N/A

Affected Packages

Software From version Fixed in
unknown

Similar Threats

Vulnerability Monitoring

Stay informed about vulnerabilities in your stack

BotEraser monitors your WordPress installation and notifies you when software you use appears in our vulnerability database.

Set Up Free Alerts →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.