CVE-2023-45671
Published: 30 October 2023
Summary
CVE-2023-45671 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Frigate Frigate. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Frigate, an open source network video recorder, contains a reflected cross-site scripting vulnerability in all API endpoints that rely on the /<camera_name> base path. Prior to version 0.13.0 Beta 3, values supplied in this path segment are not sanitized or escaped before being reflected in responses, allowing arbitrary JavaScript execution when the crafted URL is processed by a browser. The issue is tracked as CWE-79 and carries a CVSS 3.1 score of 4.7.
An attacker must know the address of a target Frigate instance and craft a page containing a malicious link or button that points to it. If the instance is reachable over the internet and an authenticated user is tricked into following the link, the attacker can execute JavaScript in the context of that user’s session. The attack therefore requires both prior knowledge of the server and successful social engineering of an authenticated victim.
The GitHub Security Advisory GHSA-jjxc-m35j-p56f and the associated GHSL-2023-190 report state that the flaw is resolved in Frigate 0.13.0 Beta 3. Administrators are advised to upgrade to the patched release; no other work-arounds are documented in the references. The EPSS score has remained at 0.3214 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-49961
Vulnerability details
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized.…
more
Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.