Our security department detected an XSS injection vulnerability on Jitsi-Meet when the client sends post request to /http-bind
original request : the client sends its user-agent in the post request as below ( in the red frame)
modified request : we replace user-agent content with JS code as below
server response after modifying user-agent : we can see that server sends back the user-agent in the response body with an unencoded content
However, the browser doesn’t seem to be affected by this unencoded response, but generally speaking it’s still considered as a XSS injection vulnerability.
I don’t know if this was fixed on the latest stable version of jitsi-meet but this issue was found with the following versions of prosody and jicofo :
- Prosody trunk nightly build 747