Jitsi: Attacker is able to cast a vote using the Victim's name on the Polls

The poll feature used to send user JIDs and names included in protocol messages, rather than derive from the XMPP session of the sender. Consequently, anyone in the conference could send messages with fake senderId or voterId values, and arbitrarily forge polls and votes. Jitsi Security Advisory has been published: https://github.com/jitsi/security-advisories/blob/master/advisories/JSA-2022-0004.md jitsi-meet repository advisory: https://github.com/jitsi/jitsi-meet/security/advisories/GHSA-rj5g-9fmh-p5fj Community forum: https://community.jitsi.org/t/new-security-advisory-jsa-2022-0004-low/118951 We thank @xsky for submitting this report to us.