CVE-2021-39205
MEDIUM8x8 jitsi_meet < 2.0.6173 - Cross-Site Scripting via JSON Object Property Injection
Title source: llmDescription
Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-6582-8v9q-v3fg
Patch, Third Party Advisory x_refsource_misc
https://github.com/jitsi/jitsi-meet/pull/9320
Patch, Third Party Advisory x_refsource_misc
https://github.com/jitsi/jitsi-meet/pull/9404
Permissions Required x_refsource_misc
https://hackerone.com/reports/1214493
Scores
CVSS v3
6.8
EPSS
0.0119
EPSS Percentile
63.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Details
CWE
CWE-79
CWE-1321
Status
published
Products (1)
8x8/jitsi_meet
< 2.0.6173
Published
Sep 15, 2021
Tracked Since
Feb 18, 2026