{"id":"CVE-2023-45671","summary":"Frigate reflected XSS through `/\u003ccamera_name\u003e` API endpoints","details":"Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/\u003ccamera_name\u003e` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.","aliases":["GHSA-jjxc-m35j-p56f"],"modified":"2026-04-10T05:04:34.662453Z","published":"2023-10-30T22:41:17.276Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/45xxx/CVE-2023-45671.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/45xxx/CVE-2023-45671.json"},{"type":"ADVISORY","url":"https://github.com/blakeblackshear/frigate/security/advisories/GHSA-jjxc-m35j-p56f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45671"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/blakeblackshear/frigate","events":[{"introduced":"0"},{"fixed":"cd64399fe5fae94de378b6303a860b000a76d1d5"}]}],"versions":["0.1.2","v0.0.1","v0.1.0","v0.1.1","v0.10.0","v0.10.1","v0.11.0","v0.11.1","v0.12.0-beta1","v0.12.0-beta10","v0.12.0-beta2","v0.12.0-beta3","v0.12.0-beta4","v0.12.0-beta5","v0.12.0-beta6","v0.12.0-beta7","v0.12.0-beta8","v0.12.0-beta9","v0.12.0-rc1","v0.12.0-rc2","v0.13.0-beta1","v0.13.0-beta2","v0.2.0","v0.2.0-beta","v0.2.1","v0.2.2","v0.2.2-beta","v0.3.0","v0.5.0","v0.5.0-rc2","v0.5.0-rc4","v0.5.1","v0.5.2","v0.6.0","v0.6.0-rc1","v0.6.0-rc2","v0.6.0-rc3","v0.6.1","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.8.4","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-45671.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}