CVE-2023-45671

2023-10-3023:15:08

CWE-79

[email protected]

web.nvd.nist.gov

frigate

network video recorder

open source

cve-2023-45671

security vulnerability

xss

api endpoints

patch

nvd

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

4.9 Medium

AI Score

Confidence

High

0.019 Low

EPSS

Percentile

88.7%

JSON

Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the /<camera_name> base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user’s Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user’s Frigate instance; attacker crafts a specialized page which links to the user’s Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.

Affected configurations

Vulners

NVD

Node

blakeblackshearfrigateRange<0.13.0-beta3

CPENameOperatorVersion
frigate:frigatefrigatele0.13.0

CPE	Name	Operator	Version
frigate:frigate	frigate	le	0.13.0

CNA Affected

[
  {
    "vendor": "blakeblackshear",
    "product": "frigate",
    "versions": [
      {
        "version": "< 0.13.0-beta3",
        "status": "affected"
      }
    ]
  }
]