DOM-based XSS/Content Spoofing via Prototype Pollution
CVE-2021-39205

6.8MEDIUM

Key Information:

Vendor

Jitsi

Status
Jitsi-meet
Vendor
CVE Published:
15 September 2021

What is CVE-2021-39205?

Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

jitsi-meet < 2.0.6173

References

https://github.com/jitsi/jitsi-meet/security/advisories/G...
x_refsource_CONFIRM
https://github.com/jitsi/jitsi-meet/pull/9320
x_refsource_MISC
https://github.com/jitsi/jitsi-meet/pull/9404
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.