CVE-2022-43550

Published: Feb 9, 2023Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A command injection vulnerability exists in Jitsi before commit 8aa7be58522f4264078d54752aae5483bfd854b2 when launching browsers on Windows which could allow an attacker to insert an arbitrary URL which opens up the opportunity to remote execution.

Affected (1)

Products: Jitsi: Jitsi

Jitsi

1 product

Jitsi

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Jitsi Jitsi	Before 2022-09-14

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/jitsi/jitsi/commit/8aa7be58522f4264078d54752aae5483bfd854b2

Source: support@hackerone.com

Patch

https://github.com/jitsi/jitsi/commit/8aa7be58522f4264078d54752aae5483bfd854b2

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.