CVE-2021-26812
published 2021-04-14CVE-2021-26812: Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious…
PriorityP356medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
97.46%
99.9th percentile
Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin for Moodle via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject javascript code to be run by the application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jitsi | meet | 2.7 – 2.8.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Look for HTTP GET requests to /mod/jitsi/sessionpriv.php containing both 'avatar=' and '&nom=' parameters in the URI — the nom parameter carries the injected JavaScript payload.
- →Confirm exploitation by checking that the response body reflects 'alert(document.domain);' — the nuclei template uses this as a positive match indicator.
- →Presence of the MoodleSession cookie header in the response alongside the reflected payload confirms the vulnerable Moodle Jitsi Meet plugin is active.
- →The canonical PoC payload injects via the 'nom' parameter using URL-encoded single-quote and semicolons to break out of JavaScript context: nom=test_user%27)%3balert(document.domain)%3b//
- ·The vulnerability affects only Jitsi Meet plugin versions 2.7 through 2.8.3 for Moodle; versions outside this range are not affected. ↗
- ·Exploitation requires user interaction (UI:R) — the victim must click a crafted malicious URL; it is not a zero-click attack. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)
suricata·2021-07-28·CVSS 6.1
CVE-2021-26812 [MEDIUM] ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)
ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Nuclei
Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-26812 [MEDIUM] Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting
Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting
Moodle Jitsi Meet 2.7 through 2.8.3 plugin contains a cross-site scripting vulnerability via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject JavaScript code to be run by the application.
Template:
id: CVE-2021-26812
info:
name: Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting
author: aceseven (digisec360)
severity: medium
description: Moodle Jitsi Meet 2.7 through 2.8.3 plugin contains a cross-site scripting vulnerability via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject JavaScript code to be run by the application.
impact: |
Successful exploitation of this vulnerability could allow an at
2021-04-14
Published