CVE-2023-45671
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-45671
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45671.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-45671
- Related
- Published
- 2023-10-30T23:15:08Z
- Modified
- 2025-02-19T03:34:45.719546Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the
/<camera_name>base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue. - References
Affected packages
Git / github.com/blakeblackshear/frigate
Affected ranges
- Type
- GIT
- Repo
- https://github.com/blakeblackshear/frigate
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affectedLast affected