CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32666 – Asset DoS vulnerability
https://notcve.org/view.php?id=CVE-2021-32666
03 Jun 2021 — wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. En wire-ios, versiones 3.8.0 y anteriores se... • https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32665 – Verified groups not reliable
https://notcve.org/view.php?id=CVE-2021-32665
03 Jun 2021 — wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. wire-ios... • https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.1EPSS: 0%CPEs: 192EXPL: 0CVE-2021-21400 – Entering code in App Lock modal sends input to conversation
https://notcve.org/view.php?id=CVE-2021-21400
02 Apr 2021 — wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0. wire-webapp es una interfaz de código abierto para Wire, una plataforma de colaboración segura. En wi... • https://github.com/wireapp/wire-webapp/commit/281f2a9d795f68abe423c116d5da4e1e73a60062 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21396 – Bulk list client endpoint exposes too much metadata about a client
https://notcve.org/view.php?id=CVE-2021-21396
26 Mar 2021 — wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could us... • https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21301 – Video feed was captured while user has disabled video
https://notcve.org/view.php?id=CVE-2021-21301
11 Feb 2021 — Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75. • https://github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 7%CPEs: 6EXPL: 2CVE-2020-27853
https://notcve.org/view.php?id=CVE-2020-27853
27 Oct 2020 — Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c. Wire antes de 16-10-2020, permite a atacantes remotos causar una denegac... • http://github.security.telekom.com/2020/11/wire-secure-messenger-format-string-vulnerability.html • CWE-134: Use of Externally-Controlled Format String •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 2CVE-2020-15258 – Insecure use of shell.openExternal in Wire
https://notcve.org/view.php?id=CVE-2020-15258
16 Oct 2020 — In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL's protocol is common. If it is common, the URL will be opened externally. • https://benjamin-altpeter.de/shell-openexternal-dangers • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-8909
https://notcve.org/view.php?id=CVE-2018-8909
22 Mar 2018 — The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala. La aplicación Wire, en versiones anteriores a 2018-03-07 para Android, permite que atacantes escriban en nombres de ruta fuera del directorio de descargas mediante un ../ en el nombre de archivo de un archivo recibido. Esto se relaciona con AssetService.scala. • https://www.x41-dsec.de/reports/X41-Kudelski-Wire-Security-Review-Android.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2010-3608 – wpQuiz 2.7 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2010-3608
24 Sep 2010 — Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) password (pw) parameters to (a) admin.php or (b) user.php. Multiples vulnerabilidades de inyección SQL en wpQuiz v2.7 permite a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) id y (2) password (pw) de (a) admin.php o (b) user.php. • https://www.exploit-db.com/exploits/15075 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2007-6172 – wpQuiz 2.7 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2007-6172
30 Nov 2007 — Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) viewimage.php and (2) comments.php. Múltiples vulnerabilidades de inyección SQL en wpQuiz 2.7 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro id de (1) viewimage.php y (2) comments.php. • https://www.exploit-db.com/exploits/4668 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •