CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23625 – DoS vulnerability: Malformed Resource Identifiers
https://notcve.org/view.php?id=CVE-2022-23625
11 Mar 2022 — Wire-ios is a messaging application using the wire protocol on apple's ios platform. In versions prior to 3.95 malformed resource identifiers may render the iOS Wire Client completely unusable by causing it to repeatedly crash on launch. These malformed resource identifiers can be generated and sent between Wire users. The root cause lies in [wireapp/wire-ios-transport](https://github.com/wireapp/wire-ios-transport), where code responsible for removing sensible tokens before logging may fail and lead to a c... • https://github.com/wireapp/wire-ios-transport/commit/02e90aa45edaf7eb2d8b97fa2377cd8104274170 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-41193 – Use of Externally-Controlled Format String in wire-avs
https://notcve.org/view.php?id=CVE-2021-41193
01 Mar 2022 — wire-avs is the audio visual signaling (AVS) component of Wire, an open-source messenger. A remote format string vulnerability in versions prior to 7.1.12 allows an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 7.1.12. There are currently no known workarounds. wire-avs es el componente de señalización audiovisual (AVS) de Wire, un mensajero de código abierto. Una vulnerabilidad de cadena de formato remota en versiones anteriores a 7.1.12, perm... • https://github.com/wireapp/wire-avs/commit/40d373ede795443ae6f2f756e9fb1f4f4ae90bbe • CWE-134: Use of Externally-Controlled Format String •
CVSS: 4.4EPSS: 0%CPEs: 348EXPL: 0CVE-2022-23605 – Expired Ephemeral Messages not reliably removed in wire-webapp
https://notcve.org/view.php?id=CVE-2022-23605
04 Feb 2022 — Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired ephemeral messages were not reliably removed from local chat history of Wire Webapp. In versions before 2022-01-27-production.0 ephemeral messages and assets might still be accessible through the local search functionality. Any attempt to view one of these message in the chat view will then trigger the deletion. This issue only affects locally stored messages. • https://github.com/wireapp/wire-webapp/commit/42c9a1edddbdd5d4d8f9a196a98f6fc19bb21741 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41100 – Account takeover when having only access to a user's short lived token in wire-server
https://notcve.org/view.php?id=CVE-2021-41100
04 Oct 2021 — Wire-server is the backing server for the open source wire secure messaging application. In affected versions it is possible to trigger email address change of a user with only the short-lived session token in the `Authorization` header. As the short-lived token is only meant as means of authentication by the client for less critical requests to the backend, the ability to change the email address with a short-lived token constitutes a privilege escalation attack. Since the attacker can change the password ... • https://github.com/wireapp/wire-server/security/advisories/GHSA-9rm2-w6pq-333m • CWE-285: Improper Authorization CWE-613: Insufficient Session Expiration •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41094 – Mandatory encryption at rest can be bypassed (UI) in Wire app
https://notcve.org/view.php?id=CVE-2021-41094
04 Oct 2021 — Wire is an open source secure messenger. Users of Wire by Bund may bypass the mandatory encryption at rest feature by simply disabling their device passcode. Upon launching, the app will attempt to enable encryption at rest by generating encryption keys via the Secure Enclave, however it will fail silently if no device passcode is set. The user has no indication that encryption at rest is not active since the feature is hidden to them. This issue has been resolved in version 3.70 Wire es una mensajería segu... • https://github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41093 – Account takeover when having only access to a user's short lived token
https://notcve.org/view.php?id=CVE-2021-41093
04 Oct 2021 — Wire is an open source secure messenger. In affected versions if the an attacker gets an old but valid access token they can take over an account by changing the email. This issue has been resolved in version 3.86 which uses a new endpoint which additionally requires an authentication cookie. See wire-ios-sync-engine and wire-ios-transport references. This is the root advisory that pulls the changes together. • https://github.com/wireapp/wire-ios-sync-engine/security/advisories/GHSA-w727-5f74-49xj • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41101 – CORS `Access-Control-Allow-Origin` settings are too lenient
https://notcve.org/view.php?id=CVE-2021-41101
30 Sep 2021 — wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie... • https://github.com/wireapp/wire-server/security/advisories/GHSA-v7xx-cx8m-g66p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32755 – Certificate pinning is not enforced on the web socket connection
https://notcve.org/view.php?id=CVE-2021-32755
13 Jul 2021 — Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above. Wire es una plataforma de colaboración. wire-ios-tr... • https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32683 – XSS through createObjectURL
https://notcve.org/view.php?id=CVE-2021-32683
15 Jun 2021 — wire-webapp is the web version of Wire, an open-source messenger. A cross-site scripting vulnerability exists in wire-webapp prior to version 2021-06-01-production.0. If a user is instructed to open an image in a new tab (right click -> open in new tab, or copy the URL and paste it in the URL bar), an the image payload is executed on the domain hosting the app (app.wire.com). In particular, if an image contains malicious code in addition to the actual picture, this code is executed on app.wire.com. This all... • https://github.com/wireapp/wire-webapp/commit/056e39d327bb10c1b0958dfbea0c39752692a1b0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 4CVE-2021-21382 – Unsafe loopback forwarding interface in Restund
https://notcve.org/view.php?id=CVE-2021-21382
11 Jun 2021 — Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `re... • https://docs.wire.com/understand/restund.html • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •