Description

The stored XSS vulnerability occurs in the chat window because the user’s input value is inserted into the web page without verification.

				to: username,
				text: result
			};
			textroom.data({
				text: JSON.stringify(message),
				error: function(reason) { bootbox.alert(reason); },
				success: function() {
					$('#chatroom').append('<p>[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + result);
					$('#chatroom').get(0).scrollTop = $('#chatroom').get(0).scrollHeight;
				}
			});
		}
	});
	return;

The above code is the logic to input the participant’s chat into the chat window. But since it doesn’t convert the value of result to HTML Entity, it causes Stored XSS. This is a private feature. In other words, it is seen as a vulnerability of the website itself rather than a damage.

Proof of Concept

1. Open the https://janus.conf.meetecho.com/textroomtest.html * 2
2. Click the Start button * 2 (Simultaneous access to the chat window with two windows)
3. Click Participants, use the private chat feature and enter <img src>, <a href>xss</a>.
4. Then XSS occurs in the chat window.

Video : https://www.youtube.com/watch?v=bOOPCaNnIfI

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.