CVE-2023-45671

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-45671
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f Exploit Vendor Advisory
https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f Exploit Vendor Advisory
https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
cpe:2.3:a:frigate:frigate:0.13.0:beta1:*:*:*:*:*:*
cpe:2.3:a:frigate:frigate:0.13.0:beta2:*:*:*:*:*:*
History

21 Nov 2024, 08:27

Type Values Removed Values Added
References () https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f - Exploit, Vendor Advisory () https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f - Exploit, Vendor Advisory
References () https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/ - () https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/ -

13 Dec 2023, 20:15

Type Values Removed Values Added
References
  • () https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/ -

08 Nov 2023, 19:08

Type Values Removed Values Added
References (MISC) https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f - (MISC) https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f - Exploit, Vendor Advisory
First Time Frigate
Frigate frigate
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.7
CPE cpe:2.3:a:frigate:frigate:0.13.0:beta2:*:*:*:*:*:*
cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
cpe:2.3:a:frigate:frigate:0.13.0:beta1:*:*:*:*:*:*

30 Oct 2023, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-10-30 23:15

Updated : 2024-11-21 08:27

NVD link : CVE-2023-45671

Mitre link : CVE-2023-45671

CVE.ORG link : CVE-2023-45671

JSON object : View

Products Affected

frigate

  • frigate
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024