{"id":"CVE-2023-45670","summary":"Frigate cross-site request forgery in `config_save` and `config_set` request handlers","details":"Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, the `config/save` and `config/set` endpoints of Frigate do not implement any CSRF protection. This makes it possible for a request sourced from another site to update the configuration of the Frigate server (e.g. via \"drive-by\" attack). Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. This issue can lead to arbitrary configuration updates for the Frigate server, resulting in denial of service and possible data exfiltration. Version 0.13.0 Beta 3 contains a patch.","aliases":["GHSA-xq49-hv88-jr6h"],"modified":"2026-02-16T02:53:39.343114Z","published":"2023-10-30T22:38:19.118Z","database_specific":{"cwe_ids":["CWE-352"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/45xxx/CVE-2023-45670.json","cna_assigner":"GitHub_M"},"references":[{"type":"ARTICLE","url":"https://about.gitlab.com/blog/2021/09/07/why-are-developers-vulnerable-to-driveby-attacks/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/45xxx/CVE-2023-45670.json"},{"type":"WEB","url":"https://github.com/blakeblackshear/frigate/blob/5658e5a4cc7376504af9de5e1eff178939a13e7f/frigate/http.py#L1060"},{"type":"WEB","url":"https://github.com/blakeblackshear/frigate/blob/6aedc39a9a421cf48000a727f36b4c1495848a1d/frigate/http.py#L998"},{"type":"WEB","url":"https://github.com/blakeblackshear/frigate/discussions/8366"},{"type":"ADVISORY","url":"https://github.com/blakeblackshear/frigate/security/advisories/GHSA-xq49-hv88-jr6h"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45670"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/blakeblackshear/frigate","events":[{"introduced":"0"},{"fixed":"cd64399fe5fae94de378b6303a860b000a76d1d5"}]}],"versions":["0.1.2","v0.0.1","v0.1.0","v0.1.1","v0.10.0","v0.10.1","v0.11.0","v0.11.0-beta2","v0.11.0-beta3","v0.11.0-beta4","v0.11.0-beta5","v0.11.0-beta6","v0.11.0-beta7","v0.11.0-rc1","v0.11.0-rc2","v0.11.0-rc3","v0.11.1","v0.12.0","v0.12.0-beta1","v0.12.0-beta10","v0.12.0-beta2","v0.12.0-beta3","v0.12.0-beta4","v0.12.0-beta5","v0.12.0-beta6","v0.12.0-beta7","v0.12.0-beta8","v0.12.0-beta9","v0.12.0-rc1","v0.12.0-rc2","v0.12.1","v0.13.0-beta1","v0.13.0-beta2","v0.2.0","v0.2.0-beta","v0.2.1","v0.2.2","v0.2.2-beta","v0.3.0","v0.5.0","v0.5.0-rc2","v0.5.0-rc4","v0.5.1","v0.5.2","v0.6.0","v0.6.0-rc1","v0.6.0-rc2","v0.6.0-rc3","v0.6.1","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.8.4","v0.9.0","v0.9.0-beta1","v0.9.0-beta2","v0.9.0-rc1","v0.9.0-rc2","v0.9.0-rc3","v0.9.0-rc4","v0.9.0-rc5","v0.9.0-rc6","v0.9.1","v0.9.2","v0.9.3","v0.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45670.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}