Cyber Resilience

CVE-2024-44081

Critical

Published: 29 October 2024

Published
29 October 2024
Modified
10 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44081 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in 8X8 Jitsi Meet. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another participant contains a URL encoded in the expected…

more

format.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1534 Internal Spearphishing Lateral Movement
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.
T1566.003 Spearphishing via Service Initial Access
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.
Why these techniques?

The vulnerability enables attackers in a Jitsi Meet session to force other clients to automatically load and play video from an arbitrary attacker-controlled URL via crafted chat messages, facilitating exploitation of public-facing web applications (T1190), internal spearphishing (T1534), and spearphishing via third-party services like video conferencing chat (T1566.003).

Affected Assets

8x8
jitsi meet
≤ 2.0.9779

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References