CVE-2023-45671

Name of the Vulnerable Software and Affected Versions Frigate versions prior to 0.13.0 Beta 3

Description Frigate is an open source network video recorder. There is a reflected cross-site scripting vulnerability in any API endpoints reliant on the / base path with a /<camera name> parameter, as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to know specific information about a user's Frigate server and to trick an authenticated user into clicking a specially crafted link to their Frigate instance. This could be exploited if Frigate is publicly exposed to the internet, the attacker knows the address of a user's Frigate instance, crafts a specialized page linking to the user's Frigate instance, and gets an authenticated user to visit the page and click the link. The reflected values in the URL are not sanitized or escaped, allowing execution of arbitrary Javascript payloads.

Recommendations For versions prior to 0.13.0 Beta 3, update to version 0.13.0 Beta 3 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints reliant on the / base path with a /<camera name> parameter to minimize the risk of exploitation. Avoid using the /<camera name> base path in API endpoints until the issue is resolved.