Listen to this Post
How the CVE works (technical explanation):
The flaw exists in `plugin/Meet/iframe.php` where `$readyToClose` is built using unsanitized `user` and `pass` parameters from User::loginFromRequestToGet(). This function (in objects/user.php:3363-3373) returns raw concatenation of `$_REQUEST[‘user’]` and `$_REQUEST[‘pass’]` without any encoding. The value is then injected directly into a JavaScript double‑quoted string literal inside a `
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent may adversely affect certain features and functions.
We do not sell your personal data. If you wish to exercise your rights under applicable privacy laws, please visit our Do Not Sell My Personal Information page.