Impact
The poll feature used to send user JIDs and names included in protocol messages, rather than derive from the XMPP session of the sender. Consequently, anyone in the conference could send messages with fake senderId or voterId values, and arbitrarily forge polls and votes.
Patches
Fixed in version 2.0.8044.
Workarounds
No, upgrading is necessary.
Reported by
Mustafa Jamal (xsky) and independently Robertas Maleckas, ETH Zurich, Prof. Kenny Paterson, ETH Zurich, Prof. Martin Albrecht, Royal Holloway, University of London
For more information
https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2022-0004.md
Impact
The poll feature used to send user JIDs and names included in protocol messages, rather than derive from the XMPP session of the sender. Consequently, anyone in the conference could send messages with fake senderId or voterId values, and arbitrarily forge polls and votes.
Patches
Fixed in version 2.0.8044.
Workarounds
No, upgrading is necessary.
Reported by
Mustafa Jamal (xsky) and independently Robertas Maleckas, ETH Zurich, Prof. Kenny Paterson, ETH Zurich, Prof. Martin Albrecht, Royal Holloway, University of London
For more information
https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2022-0004.md