Summary
There is a reflected XSS vulnerability in any API endpoints reliant on the /<camera_name>
base path as values provided for the path are not sanitized.
Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance.
This vulnerability could exploited by an attacker under the following circumstances:
- Frigate publicly exposed to the internet (even with authentication)
- Attacker knows the address of a user's Frigate instance
- Attacker crafts a specialized page which links to the user's Frigate instance
- Attacker finds a way to get an authenticated user to visit their specialized page and click the button/link
Details
The recording_clip
request handler returns an unescaped/unsanitized string based on the camera_name
requested in the route that calls it. As a result of this, reflected XSS is possible.
By calling a camera that does not exist, we can force a failure response that will return the requested value. Note that this is response will use Flask's default content-type
of text/html
:
if p.returncode != 0:
logger.error(p.stderr)
return f"Could not create clip from recordings for {camera_name}.", 500
As an example, we can trigger an XSS payload using the official demo instance with the following GET
request executed in a browser:
GET https://demo.frigate.video/api/%3Cimg%20src=%22%22%20onerror=alert(document.domain)%3E
This vulnerability was found using CodeQL’s Reflected server-side cross-site scripting for Python.
Impact
As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads.
Summary
There is a reflected XSS vulnerability in any API endpoints reliant on the
/<camera_name>
base path as values provided for the path are not sanitized.Exploiting this vulnerability requires the attacker to both know very specific information about a user's Frigate server and requires an authenticated user to be tricked into clicking a specially crafted link to their Frigate instance.
This vulnerability could exploited by an attacker under the following circumstances:
Details
The
recording_clip
request handler returns an unescaped/unsanitized string based on thecamera_name
requested in the route that calls it. As a result of this, reflected XSS is possible.By calling a camera that does not exist, we can force a failure response that will return the requested value. Note that this is response will use Flask's default
content-type
oftext/html
:As an example, we can trigger an XSS payload using the official demo instance with the following
GET
request executed in a browser:This vulnerability was found using CodeQL’s Reflected server-side cross-site scripting for Python.
Impact
As the reflected values included in the URL are not sanitized or escaped, this permits execution arbitrary Javascript payloads.