Vulnerability Details : CVE-2020-25019
jitsi-meet-electron (aka Jitsi Meet Electron) before 2.3.0 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.
Products affected by CVE-2020-25019
- cpe:2.3:a:jitsi:meet_electron:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25019
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25019
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-25019
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-25019
-
https://github.com/jitsi/jitsi-meet-electron/releases/tag/v2.3.0
Release Notes;Third Party Advisory
-
https://security.stackexchange.com/questions/225799
remote code execution - Dangers of Electron's "shell.openExternal" on untrusted content - Information Security Stack ExchangeExploit;Third Party Advisory
-
https://github.com/jitsi/jitsi-meet-electron/commit/ca1eb702507fdc4400fe21c905a9f85702f92a14
Share logic for opening external links · jitsi/jitsi-meet-electron@ca1eb70 · GitHubPatch;Third Party Advisory
Jump to