Login Sign Up

CVE-2024-44080

7.5 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability in Jitsi Meet allows attackers to make clients load GIFs from arbitrary URLs by sending specially crafted messages. This affects all users of vulnerable Jitsi Meet instances who receive messages from other participants. The vulnerability enables cross-site scripting attacks through image loading.

💻 Affected Systems

Products:
  • Jitsi Meet
Versions: All versions before 2.0.9779
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Jitsi Meet deployments with the Giphy integration enabled (default configuration).

📦 What is this software?

Jitsi Meet by 8x8

View all CVEs affecting Jitsi Meet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could load malicious content from arbitrary domains, potentially leading to session hijacking, credential theft, or malware distribution through the Jitsi Meet interface.

🟠

Likely Case

Attackers could load tracking pixels, display inappropriate content, or perform limited cross-site scripting attacks within the Jitsi Meet interface.

🟢

If Mitigated

With proper content security policies and network filtering, the impact is limited to loading images from untrusted sources without script execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires sending messages to a Jitsi Meet room, which typically requires participant access. The vulnerability is simple to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.9779 and later

Vendor Advisory: https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2024-0002.md

Restart Required: Yes

Instructions:

1. Update Jitsi Meet to version 2.0.9779 or later. 2. Restart the Jitsi Meet service. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Disable Giphy integration

all

Disable the vulnerable Giphy image sharing functionality

Set 'disableGiphy' to true in Jitsi Meet configuration

Implement Content Security Policy

all

Restrict image loading to trusted domains only

Add CSP header: img-src 'self' https://media.giphy.com

🧯 If You Can't Patch

  • Implement network filtering to block image loading from untrusted domains
  • Monitor for unusual image loading patterns in Jitsi Meet logs

🔍 How to Verify

Check if Vulnerable:

Check if Jitsi Meet version is below 2.0.9779 and Giphy integration is enabled

Check Version:

Check Jitsi Meet web interface or configuration files for version information

Verify Fix Applied:

Verify version is 2.0.9779 or later and test that arbitrary URL image loading is blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual image loading patterns
  • Requests to non-Giphy domains for GIFs
  • Messages with encoded URLs in image format

Network Indicators:

  • HTTP requests to arbitrary domains for image files from Jitsi Meet clients
  • Unusual outbound traffic patterns

SIEM Query:

source="jitsi" AND (url CONTAINS "gif" OR url CONTAINS "image") AND NOT domain IN ("media.giphy.com", "trusted-domains")

📊 Metadata

CVE ID: CVE-2024-44080
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-79
Published: October 29, 2024
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44080, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)