CVE-2021-39205 - Vulnerability Details - OpenCVE

Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
8x8	Jitsi Meet

Configuration 1 [-]

cpe:2.3:a:8x8:jitsi_meet:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/jitsi/jitsi-meet/pull/9320
https://github.com/jitsi/jitsi-meet/pull/9404
https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg
https://hackerone.com/reports/1214493

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-15T17:15:12

Updated: 2024-08-04T01:58:18.260Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39205

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-09-15T18:15:09.187

Modified: 2024-11-21T06:18:53.790

Link: CVE-2021-39205

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "jitsi-meet", "vendor": "jitsi", "versions": [{"status": "affected", "version": "< 2.0.6173"}]}], "descriptions": [{"lang": "en", "value": "Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-15T17:15:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jitsi/jitsi-meet/pull/9320"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jitsi/jitsi-meet/pull/9404"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1214493"}], "source": {"advisory": "GHSA-6582-8v9q-v3fg", "discovery": "UNKNOWN"}, "title": "DOM-based XSS/Content Spoofing via Prototype Pollution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39205", "STATE": "PUBLIC", "TITLE": "DOM-based XSS/Content Spoofing via Prototype Pollution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "jitsi-meet", "version": {"version_data": [{"version_value": "< 2.0.6173"}]}}]}, "vendor_name": "jitsi"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"description": [{"lang": "eng", "value": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg", "refsource": "CONFIRM", "url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg"}, {"name": "https://github.com/jitsi/jitsi-meet/pull/9320", "refsource": "MISC", "url": "https://github.com/jitsi/jitsi-meet/pull/9320"}, {"name": "https://github.com/jitsi/jitsi-meet/pull/9404", "refsource": "MISC", "url": "https://github.com/jitsi/jitsi-meet/pull/9404"}, {"name": "https://hackerone.com/reports/1214493", "refsource": "MISC", "url": "https://hackerone.com/reports/1214493"}]}, "source": {"advisory": "GHSA-6582-8v9q-v3fg", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.260Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jitsi/jitsi-meet/pull/9320"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jitsi/jitsi-meet/pull/9404"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1214493"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39205", "datePublished": "2021-09-15T17:15:12", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.260Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:8x8:jitsi_meet:*:*:*:*:*:*:*:*", "matchCriteriaId": "A30F6747-14E8-411D-94A2-CD50253107CD", "versionEndExcluding": "2.0.6173", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading."}, {"lang": "es", "value": "Jitsi Meet es una aplicaci\u00f3n de videoconferencia de c\u00f3digo abierto. Las versiones anteriores a 2.0.6173 son vulnerables a un ataque de tipo cross-site scripting del lado del cliente por medio de una inyecci\u00f3n de propiedades en objetos JSON que no fueron escapados correctamente. No se conocen incidentes relacionados con la explotaci\u00f3n de esta vulnerabilidad. Este problema ha sido corregido en la versi\u00f3n 2.0.6173 de Jitsi Meet. No se conocen soluciones aparte de la actualizaci\u00f3n"}], "id": "CVE-2021-39205", "lastModified": "2024-11-21T06:18:53.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-15T18:15:09.187", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jitsi/jitsi-meet/pull/9320"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jitsi/jitsi-meet/pull/9404"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1214493"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jitsi/jitsi-meet/pull/9320"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jitsi/jitsi-meet/pull/9404"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1214493"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-1321"}], "source": "nvd@nist.gov", "type": "Primary"}]}