cbcvebase.
CVE-2021-26812
published 2021-04-14

CVE-2021-26812: Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious…

PriorityP356medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
97.46%
99.9th percentile
Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject javascript code to be run by the application.

Affected

1 ranges
VendorProductVersion rangeFixed in
jitsimeet2.7 – 2.8.3

Detection & IOCsextracted from sources · hover to see the quote

path/mod/jitsi/sessionpriv.php
url{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Look for HTTP GET requests to /mod/jitsi/sessionpriv.php containing both 'avatar=' and '&nom=' parameters in the URI — the nom parameter carries the injected JavaScript payload.
  • Confirm exploitation by checking that the response body reflects 'alert(document.domain);' — the nuclei template uses this as a positive match indicator.
  • Presence of the MoodleSession cookie header in the response alongside the reflected payload confirms the vulnerable Moodle Jitsi Meet plugin is active.
  • The canonical PoC payload injects via the 'nom' parameter using URL-encoded single-quote and semicolons to break out of JavaScript context: nom=test_user%27)%3balert(document.domain)%3b//
  • ·The vulnerability affects only Jitsi Meet plugin versions 2.7 through 2.8.3 for Moodle; versions outside this range are not affected.
  • ·Exploitation requires user interaction (UI:R) — the victim must click a crafted malicious URL; it is not a zero-click attack.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.