- Project: jitsi-meet
- Summary: Poll vote manipulation
- Severity: Minor
- Affected versions: < 8044
- Fixed date: 2022-11-02
- Fixed version: stable-8044
- CVE: N/A
- Reported by: Mustafa Jamal (xsky) and independently Robertas Maleckas, ETH Zurich, Prof. Kenny Paterson, ETH Zurich, Prof. Martin Albrecht, Royal Holloway, University of London
The poll feature used to send user JIDs and names included in protocol messages, rather than derive from the XMPP session of the sender. Consequently, anyone in the conference could send messages with fake senderId or voterId values, and arbitrarily forge polls and votes.
User JIDs and display names are no longer sent in the protocol messages and are taken from the XMPP session.
Jitsi security advisories are posted in https://github.com/jitsi/security-advisories/tree/master/advisories