CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41101 – CORS `Access-Control-Allow-Origin` settings are too lenient
https://notcve.org/view.php?id=CVE-2021-41101
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie (account-pages, team-settings and the webapp). wire-server es un back end de código abierto para Wire, una plataforma de colaboración segura. • https://github.com/wireapp/wire-server/security/advisories/GHSA-v7xx-cx8m-g66p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2021-32755 – Certificate pinning is not enforced on the web socket connection
https://notcve.org/view.php?id=CVE-2021-32755
Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above. Wire es una plataforma de colaboración. wire-ios-transport maneja la autenticación de peticiones, los fallos de red y los reintentos para la implementación de Wire en iOS. • https://github.com/wireapp/wire-ios-transport/security/advisories/GHSA-v8mx-h3vj-w39v • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-32683 – XSS through createObjectURL
https://notcve.org/view.php?id=CVE-2021-32683
wire-webapp is the web version of Wire, an open-source messenger. A cross-site scripting vulnerability exists in wire-webapp prior to version 2021-06-01-production.0. If a user is instructed to open an image in a new tab (right click -> open in new tab, or copy the URL and paste it in the URL bar), an the image payload is executed on the domain hosting the app (app.wire.com). In particular, if an image contains malicious code in addition to the actual picture, this code is executed on app.wire.com. This allows the attacker to fully control the user account. • https://github.com/wireapp/wire-webapp/commit/056e39d327bb10c1b0958dfbea0c39752692a1b0 https://github.com/wireapp/wire-webapp/security/advisories/GHSA-382j-mmc8-m5rw • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32666 – Asset DoS vulnerability
https://notcve.org/view.php?id=CVE-2021-32666
wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. En wire-ios, versiones 3.8.0 y anteriores se presenta una vulnerabilidad que puede causar una denegación de servicio entre usuarios. • https://github.com/wireapp/wire-ios-data-model/commit/35af3f632085f51a2ce7f608fdaeffd1a69ad89f https://github.com/wireapp/wire-ios/security/advisories/GHSA-2x9x-vh27-h4rv • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32665 – Verified groups not reliable
https://notcve.org/view.php?id=CVE-2021-32665
wire-ios is the iOS version of Wire, an open-source secure messaging app. wire-ios versions 3.8.0 and earlier have a bug in which a conversation could be incorrectly set to "unverified. This occurs when: - Self user is added to a new conversation - Self user is added to an existing conversation - All the participants in the conversation were previously marked as verified. The vulnerability is patched in wire-ios version 3.8.1. As a workaround, one can unverify & verify a device in the conversation. wire-ios es la versión para iOS de Wire, una aplicación de mensajería segura de código abierto. Las versiones 3.8.0 y anteriores de wire-ios tienen un bug en el que una conversación podría ser incorrectamente establecida como "no verificada". • https://github.com/wireapp/wire-ios-data-model/commit/bf9db85886b12a20c8374f55b7c4a610e8ae9220 https://github.com/wireapp/wire-ios/security/advisories/GHSA-mc65-7w99-c6qv • CWE-345: Insufficient Verification of Data Authenticity •