Florian Leleu

**Name of the Vulnerable Software and Affected Versions** Mirotalk versions prior to commit 9de226 **Description** The issue is related to incorrect access control in the component app/src/server.js, allowing unauthenticated attackers without presenter privileges to eject users from a meeting arbitrarily. **Recommendations** For versions prior to commit 9de226, update to a version that includes commit 9de226 or later to resolve the issue. As a temporary workaround, consider restricting access to the meeting functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mirotalk versions before commit 9de226 **Description** The issue is a DOM-based cross-site scripting (XSS) vulnerability. This allows attackers to execute arbitrary code by sending crafted payloads in messages to other users over RTC connections. **Recommendations** For versions before commit 9de226, update to a version that includes commit 9de226 or later to resolve the issue. As a temporary workaround, consider restricting the use of message sending over RTC connections until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mirotalk versions prior to commit 9de226 **Description** The issue is related to incorrect access control, allowing attackers to change usernames by sending a crafted roomAction request to the server. **Recommendations** For versions prior to commit 9de226, update to a version that includes the fix for this issue, specifically commit 9de226 or later.