CVE-2023-45671 in frigate
Summary
by MITRE • 10/31/2023
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/31/2023
The vulnerability identified as CVE-2023-45671 affects Frigate, an open source network video recorder system that provides surveillance capabilities through web-based interfaces. This cross-site scripting vulnerability exists in versions prior to 0.13.0 Beta 3 and specifically targets API endpoints that utilize the forward slash base path. The flaw represents a classic reflected xss vulnerability where user-supplied input values are directly incorporated into HTTP responses without proper sanitization or output encoding, creating a pathway for malicious script execution within the context of authenticated user sessions.
The technical exploitation of this vulnerability requires a specific attack vector that combines multiple conditions for successful execution. An attacker must first have knowledge of a target user's Frigate server configuration and address, which implies that the system is publicly accessible on the internet even when protected by authentication mechanisms. The attack methodology involves crafting a specialized web page containing malicious links that target the vulnerable Frigate instance, then persuading an authenticated user to visit this crafted page and click on the malicious hyperlink. This social engineering component is critical because the vulnerability requires user interaction to be effective, making it a targeted attack rather than a fully automated exploit.
The operational impact of this vulnerability extends beyond simple script execution, as it allows attackers to leverage the authenticated user's session privileges within the Frigate system. Since the reflected values in URLs are not properly escaped or sanitized, malicious javascript payloads can execute with the privileges of the authenticated user, potentially enabling unauthorized access to video feeds, configuration modifications, or even complete system compromise depending on the user's permission levels. The vulnerability's classification aligns with CWE-79 which specifically addresses cross-site scripting flaws, and the attack pattern corresponds to ATT&CK technique T1566.001 for phishing with malicious links, demonstrating how this vulnerability bridges web application security flaws with social engineering tactics.
The patch implemented in version 0.13.0 Beta 3 addresses this issue through proper input sanitization and output encoding of path parameters within API endpoints that utilize the base path. This remediation follows established security best practices for preventing reflected cross-site scripting vulnerabilities by ensuring that all user-supplied input values are properly escaped or filtered before being incorporated into HTTP responses. Organizations utilizing Frigate systems should immediately upgrade to version 0.13.0 Beta 3 or later to mitigate this vulnerability, while also implementing network segmentation and access controls to limit public exposure of surveillance systems even when authentication is required. The vulnerability serves as a reminder of the importance of input validation and output encoding in web applications, particularly in security-critical systems where unauthorized access could result in significant privacy and security implications.