How severe is CVE-2024-53276?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-53276?

This is classified as CWE-942, which is a common weakness in software security.

CVE-2024-53276 - MEDIUM Severity | CVSS N/A

Vulnerability Description

Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. In 1.15.0 and earlier, an open CORS policy in app.js may allow an attacker to view the images of home-gallery when it is using the default settings. The following express middleware allows any website to make a cross site request to home-gallery, thus allowing them to read any endpoint on home-gallery. Home-gallery is mostly safe from cross-site requests due to most of its pages requiring JavaScript, and cross-site requests such as fetch() do not render javascript. If an attacker is able to get the path of the preview images which are randomized, an attacker will be able to view such a photo. If any static files or endpoints are introduced in the future that contain sensitive information, they will be accessible to an attacker website.

Related Vulnerabilities

CVE-2021-27786

CRITICAL

CVSS:9.8(Critical)

Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial r...

CWE-9422021

CVE-2022-26969

CRITICAL

CVSS:9.8(Critical)

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

CWE-9422022

CVE-2022-31736

CRITICAL

CVSS:9.8(Critical)

A malicious website could have learned the size of a cross-origin resource that supported Range requests. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

CWE-9422022

CVE-2023-50940

CRITICAL

CVSS:9.8(Critical)

IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being...

CWE-9422023

CVE-2024-37131

CRITICAL

CVSS:9.8(Critical)

SCG Policy Manager, all versions, contains an overly permissive Cross-Origin Resource Policy (CORP) vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leadi...

CWE-9422024

CVE-2023-25603

CRITICAL

CVSS:9.1(Critical)

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out privil...

CWE-9422023