CVE-2023-45671: 
NixOS vulnerability analysis and mitigation

Frigate, an open source network video recorder, was found to contain a reflected cross-site scripting vulnerability (CVE-2023-45671) prior to version 0.13.0 Beta 3. The vulnerability affects API endpoints that rely on the / base path where path values are not properly sanitized. The issue was discovered and disclosed in October 2023, affecting all versions up to and including v0.12.1 and versions before v0.13.0 Beta 3 (GitHub Advisory, NVD).

The vulnerability exists in the recordingclip request handler which returns an unescaped/unsanitized string based on the cameraname parameter in the route. When calling a non-existent camera, the failure response returns the requested value with Flask's default content-type of text/html, enabling reflected XSS. For example, a malicious payload could be triggered using a GET request to /api/<img src="" onerror=alert(document.domain)>. The vulnerability was identified using CodeQL's Reflected server-side cross-site scripting query for Python. The issue has been assigned a CVSS v3.1 Base Score of 4.7 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (GitHub Lab, NVD).

The vulnerability allows execution of arbitrary JavaScript payloads when exploited successfully. Since the reflected values in the URL are not sanitized or escaped, attackers could potentially execute malicious JavaScript code in the context of authenticated users' browsers (GitHub Advisory).

The vulnerability has been patched in Frigate version 0.13.0 Beta 3. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).