CVE-2021-39205

Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/jitsi/jitsi-meet/pull/9320	Patch Third Party Advisory
https://github.com/jitsi/jitsi-meet/pull/9404	Patch Third Party Advisory
https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg	Third Party Advisory
https://hackerone.com/reports/1214493	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:8x8:jitsi_meet:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-09-15 18:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-39205

Mitre link : CVE-2021-39205

CVE.ORG link : CVE-2021-39205

JSON object : View

Products Affected

8x8

jitsi_meet

CWE

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-39205", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.6}]}, "published": "2021-09-15T18:15:09.187", "references": [{"url": "https://github.com/jitsi/jitsi-meet/pull/9320", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jitsi/jitsi-meet/pull/9404", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1214493", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1321"}, {"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading."}, {"lang": "es", "value": "Jitsi Meet es una aplicaci\u00f3n de videoconferencia de c\u00f3digo abierto. Las versiones anteriores a 2.0.6173 son vulnerables a un ataque de tipo cross-site scripting del lado del cliente por medio de una inyecci\u00f3n de propiedades en objetos JSON que no fueron escapados correctamente. No se conocen incidentes relacionados con la explotaci\u00f3n de esta vulnerabilidad. Este problema ha sido corregido en la versi\u00f3n 2.0.6173 de Jitsi Meet. No se conocen soluciones aparte de la actualizaci\u00f3n"}], "lastModified": "2022-09-10T02:45:50.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:8x8:jitsi_meet:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A30F6747-14E8-411D-94A2-CD50253107CD", "versionEndExcluding": "2.0.6173"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}