CVE-2021-39205 MEDIUM

CVE-2021-39205: DOM-based XSS/Content Spoofing via Prototype Pollution

Vendor Jitsi
Product jitsi-meet
Weakness CWE-79 · XSS
Published September 15, 2021
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.

Key dates

02Disclosure timeline

September 15, 2021 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2014-125096 Fancy Gallery Plugin Options Page class.options.php cross site scripting CVE-2024-51948 Stored XSS vulnerability in Rest Services under Job ID CVE-2025-8786 Portabilis i-Diario Registro das atividades registros-de-conteudos-por-areas-de-conhecimento cross site scripting CVE-2018-5405 The Quest Kace K1000 Appliance is vulnerable to JavaScript injection. CVE-2025-23550 WordPress Product Puller plugin <= 1.5.1 - Reflected Cross Site Scripting (XSS) vulnerability