XSS injection on Jitsi-Meet?




Our security department detected an XSS injection vulnerability on Jitsi-Meet when the client sends post request to /http-bind

However, the browser doesn’t seem to be affected by this unencoded response, but generally speaking it’s still considered as a XSS injection vulnerability.

I don’t know if this was fixed on the latest stable version of jitsi-meet but this issue was found with the following versions of prosody and jicofo :

  • jicofo_1.0-405-1_amd64
  • Prosody trunk nightly build 747


Thanks for the warning.

I’m also curious if this has been fixed in latest unstable. Anyone know?


Nope, nobody had worked on it. The values got injected in xmpp xml messages and I don’t think this brings any risk.


any tips on how to fix this ?
I could dig a little bit to patch it