CVE-2023-45908
📋 TL;DR
Homarr versions before 0.14.0 contain a stored cross-site scripting (XSS) vulnerability in the Notebook widget. This allows attackers to inject malicious scripts that execute when other users view the notebook, potentially stealing session cookies or performing actions as the victim. All Homarr instances running vulnerable versions with the Notebook widget enabled are affected.
💻 Affected Systems
- Homarr
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full control of the Homarr instance, pivot to internal systems, or deploy ransomware/malware to connected systems.
Likely Case
Attackers steal user session cookies to impersonate users, modify dashboard configurations, or redirect users to phishing sites.
If Mitigated
Script execution is blocked by Content Security Policy or input validation, limiting impact to UI manipulation without code execution.
🎯 Exploit Status
Exploitation requires user interaction with the Notebook widget. Public proof-of-concept demonstrates basic XSS payload injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.0 and later
Vendor Advisory: https://github.com/ajnart/homarr
Restart Required: Yes
Instructions:
1. Backup your Homarr configuration. 2. Update to version 0.14.0 or later using your deployment method (Docker, manual, etc.). 3. Restart the Homarr service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Notebook Widget
allTemporarily disable the vulnerable Notebook widget to prevent exploitation.
Edit Homarr configuration to remove or disable the Notebook widget
Implement Content Security Policy
allAdd strict CSP headers to block inline script execution.
Add 'Content-Security-Policy: script-src 'self'' to web server headers
🧯 If You Can't Patch
- Isolate Homarr instance to internal network only, blocking external access
- Implement web application firewall (WAF) rules to block XSS payload patterns
🔍 How to Verify
Check if Vulnerable:
Check Homarr version in dashboard settings or via API. If version is below 0.14.0 and Notebook widget is present, instance is vulnerable.Check Version:
Check Homarr web interface Settings > About, or curl -s http://homarr-host:port/api/versionVerify Fix Applied:
Confirm version is 0.14.0 or higher in dashboard settings. Test Notebook widget with basic XSS payload like <script>alert('test')</script> - it should be sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in Notebook widget entries
- Multiple failed XSS attempts in web logs
Network Indicators:
- HTTP requests containing script tags or JavaScript in POST data to Notebook endpoints
SIEM Query:
web_logs WHERE url_path CONTAINS '/api/widgets/notebook' AND (request_body CONTAINS '<script' OR request_body CONTAINS 'javascript:')