XSS injection on Jitsi-Meet?

meet

#1

Hello,

Our security department detected an XSS injection vulnerability on Jitsi-Meet when the client sends post request to /http-bind

However, the browser doesn’t seem to be affected by this unencoded response, but generally speaking it’s still considered as a XSS injection vulnerability.

I don’t know if this was fixed on the latest stable version of jitsi-meet but this issue was found with the following versions of prosody and jicofo :

  • jicofo_1.0-405-1_amd64
  • Prosody trunk nightly build 747

#2

Thanks for the warning.

I’m also curious if this has been fixed in latest unstable. Anyone know?


#3

Nope, nobody had worked on it. The values got injected in xmpp xml messages and I don’t think this brings any risk.


#4

any tips on how to fix this ?
I could dig a little bit to patch it