CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22737 – wire-server vulnerable to unauthorized removal of Bots from Conversations
https://notcve.org/view.php?id=CVE-2023-22737
27 Jan 2023 — wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39380 – wire-webapp contains Improper Handling of Exceptional Conditions leading to a DoS via Markdown Rendering
https://notcve.org/view.php?id=CVE-2022-39380
27 Jan 2023 — Wire web-app is part of Wire communications. Versions prior to 2022-11-02 are subject to Improper Handling of Exceptional Conditions. In the wire-webapp, certain combinations of Markdown formatting can trigger an unhandled error in the conversion to HTML representation. The error makes it impossible to display the affected chat history, other conversations are not affected. The issue has been fixed in version 2022-11-02 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-webapp/security/advisories/GHSA-v5mf-358q-w7m4 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43673
https://notcve.org/view.php?id=CVE-2022-43673
18 Nov 2022 — Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. La conexión hasta 3.22.3993 en Windows anuncia la eliminación de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un período de tiempo limitado) de la base de datos AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb. • https://wire.com • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31122 – Wire-server vulnerable to Token Recipient Confusion resulting in account impersonation, deletion or malicious account creation
https://notcve.org/view.php?id=CVE-2022-31122
18 Oct 2022 — Wire is an encrypted communication and collaboration platform. Versions prior to 2022-07-12/Chart 4.19.0 are subject to Token Recipient Confusion. If an attacker has certain details of SAML IdP metadata, and configures their own SAML on the same backend, the attacker can delete all SAML authenticated accounts of a targeted team, Authenticate as a user of the attacked team and create arbitrary accounts in the context of the team if it is not managed by SCIM. This issue is fixed in wire-server 2022-07-12 and ... • https://github.com/wireapp/wire-server/security/advisories/GHSA-gq27-gmgq-fmxw • CWE-287: Improper Authentication CWE-1270: Generation of Incorrect Security Tokens •
CVSS: 9.6EPSS: 0%CPEs: 367EXPL: 0CVE-2022-29168 – Cross Site Scripting in Wire Messages
https://notcve.org/view.php?id=CVE-2022-29168
25 Jun 2022 — Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowing the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-05-0... • https://github.com/wireapp/wire-webapp/security/advisories/GHSA-jgv3-4j56-fvh6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31009 – DoS vulnerability: Invalid Accent Colors
https://notcve.org/view.php?id=CVE-2022-31009
23 Jun 2022 — wire-ios is an iOS client for the Wire secure messaging application. Invalid accent colors of Wire communication partners may render the iOS Wire Client partially unusable by causing it to crash multiple times on launch. These invalid accent colors can be used by and sent between Wire users. The root cause was an unnecessary assert statement when converting an integer value into the corresponding enum value, causing an exception instead of a fallback to a default value. This issue is fixed in [wire-ios](htt... • https://github.com/wireapp/wire-ios/commit/caa0e27dbe51f9edfda8c7a9f017d93b8cfddefb • CWE-617: Reachable Assertion •
CVSS: 9.6EPSS: 0%CPEs: 362EXPL: 0CVE-2022-24799 – Cross Site Scripting in Wire Webapp
https://notcve.org/view.php?id=CVE-2022-24799
20 Apr 2022 — wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version ... • https://github.com/wireapp/wire-webapp/commit/d14455252a949dc83f36d45e2babbdd9328af2a4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41119 – DoS vulnerabiliity in wire-server json parser
https://notcve.org/view.php?id=CVE-2021-41119
13 Apr 2022 — Wire-server is the system server for the wire back-end services. Releases prior to v2022-03-01 are subject to a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it which can lead to a denial of service for a heavily used server. The issue has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services. On premise instances of wire-server need to be updated to 2022-03-01, so that the... • https://cs-syd.eu/posts/2021-09-11-json-vulnerability • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23610 – Improper Verification of Cryptographic Signature in wire-server
https://notcve.org/view.php?id=CVE-2022-23610
16 Mar 2022 — wire-server provides back end services for Wire, an open source messenger. In versions of wire-server prior to the 2022-01-27 release, it was possible to craft DSA Signatures to bypass SAML SSO and impersonate any Wire user with SAML credentials. In teams with SAML, but without SCIM, it was possible to create new accounts with fake SAML credentials. Under certain conditions that can be established by an attacker, an upstream library for parsing, rendering, signing, and validating SAML XML data was accepting... • https://github.com/wireapp/wire-server/releases/tag/v2022-01-27 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23625 – DoS vulnerability: Malformed Resource Identifiers
https://notcve.org/view.php?id=CVE-2022-23625
11 Mar 2022 — Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a c... • https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170 • CWE-755: Improper Handling of Exceptional Conditions •