CVE-2023-45671— Frigate 跨站脚本漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2023-45671の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Frigate reflected XSS through `/<camera_name>` API endpoints
ソース: NVD (National Vulnerability Database)
脆弱性説明
Frigate is an open source network video recorder. Prior to version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Frigate 跨站脚本漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Frigate是Blake Blackshear个人开发者的一款专为具有 AI 对象检测功能的家庭助理设计的完整本地 NVR。 Frigate 0.13.0 Beta 3之前版本存在跨站脚本漏洞,该漏洞源于存在反射型跨站脚本漏洞,攻击者利用该漏洞可以执行任意Javascript。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
| ベンダー | プロダクト | 影響を受けるバージョン | CPE | 購読 |
|---|---|---|---|---|
| blakeblackshear | frigate | < 0.13.0-beta3 | - |
II. CVE-2023-45671の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|---|---|---|
| 1 | Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the `/<camera_name>` base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance. This vulnerability could exploited by an attacker under the following circumstances: Frigate publicly exposed to the internet (even with authentication); attacker knows the address of a user's Frigate instance; attacker crafts a specialized page which links to the user's Frigate instance; attacker finds a way to get an authenticated user to visit their specialized page and click the button/link. As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads. Version 0.13.0 Beta 3 contains a patch for this issue. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-45671.yaml | POC詳細 |
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2023-45671のインテリジェンス情報
请登录查看更多情报信息。
- https://securitylab.github.com/advisories/GHSL-2023-190_Frigate/x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-45671
Same Patch Batch · blakeblackshear · 2023-10-30 · 3 CVEs total
| CVE-2023-45672 | 7.5 HIGH | Frigate unsafe deserialization in `load_config_with_no_duplicates` of `frigate/util/builti |
| CVE-2023-45670 | 7.5 HIGH | Frigate cross-site request forgery in `config_save` and `config_set` request handlers |
IV. 関連脆弱性
同じ製品: frigate
- CVE-2026-33470
Frigate has cross-camera snapshot disclosure via unrestricte - CVE-2026-33469
Authenticated Frigate users can read the full unredacted con - CVE-2026-33126
Frigate has SSRF vulnerability in /ffprobe endpoint - CVE-2026-33125
Frigate Broken Access Control: Users assigned the viewer rol - CVE-2026-33124
Frigate has insecure password change functionality
同じベンダー: blakeblackshear
- CVE-2026-33470
Frigate has cross-camera snapshot disclosure via unrestricte - CVE-2026-33469
Authenticated Frigate users can read the full unredacted con - CVE-2026-33126
Frigate has SSRF vulnerability in /ffprobe endpoint - CVE-2026-33125
Frigate Broken Access Control: Users assigned the viewer rol - CVE-2026-33124
Frigate has insecure password change functionality
同じ弱点: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. CVE-2023-45671へのコメント
まだコメントはありません