CVE-2024-44081
Published: 29 October 2024
Summary
CVE-2024-44081 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in 8X8 Jitsi Meet. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-40851
Vulnerability details
In Jitsi Meet before 2.0.9779, the functionality to share a video file was implemented in an insecure way, resulting in clients loading videos from an arbitrary URL if a message from another participant contains a URL encoded in the expected…
more
format.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables attackers in a Jitsi Meet session to force other clients to automatically load and play video from an arbitrary attacker-controlled URL via crafted chat messages, facilitating exploitation of public-facing web applications (T1190), internal spearphishing (T1534), and spearphishing via third-party services like video conferencing chat (T1566.003).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.