Frigate < 0.13.0 Beta 3 - Cross-Site Scripting (CVE-2023-45671)

Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.

Frigate是一款开源的网络视频记录器。在0.13.0 Beta 3版本之前，任何依赖于`/<camera_name>`基本路径的API端点均存在反射型跨站脚本漏洞。利用此漏洞需要攻击者了解用户Frigate服务器非常具体的信息，并且要求认证用户被诱骗点击指向其Frigate实例的精心制作的链接。此漏洞在以下情况下可能被攻击者利用：Frigate公开暴露于互联网（即使带有认证）；攻击者知晓用户Frigate实例的地址；攻击者制作了链接至用户Frigate实例的专用页面；攻击者找到方法让认证用户访问其专用页面并点击按钮/链接。由于包含在URL中的反射值未经过净化或转义，这允许执行任意的JavaScript有效载荷。0.13.0 Beta 3版本包含此问题的修复补丁。