CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48221 – wire-avs remote format string vulnerability
https://notcve.org/view.php?id=CVE-2023-48221
wire-avs provides Audio, Visual, and Signaling (AVS) functionality sure the secure messaging software Wire. Prior to versions 9.2.22 and 9.3.5, a remote format string vulnerability could potentially allow an attacker to cause a denial of service or possibly execute arbitrary code. The issue has been fixed in wire-avs 9.2.22 & 9.3.5 and is already included on all Wire products. No known workarounds are available. wire-avs proporciona funcionalidad de Audio, Visual, and Signaling (AVS) en el software de mensajería segura Wire. Antes de las versiones 9.2.22 y 9.3.5, una vulnerabilidad de cadena de formato remoto podría permitir a un atacante provocar una Denegación de Servicio o posiblemente ejecutar código arbitrario. • https://github.com/wireapp/wire-avs/commit/364c3326a1331a84607bce2e17126306d39150cd https://github.com/wireapp/wire-avs/security/advisories/GHSA-m4xg-fcr3-w3pq • CWE-134: Use of Externally-Controlled Format String •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22737 – wire-server vulnerable to unauthorized removal of Bots from Conversations
https://notcve.org/view.php?id=CVE-2023-22737
wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 https://github.com/wireapp/wire-server/pull/2870 https://github.com/wireapp/wire-server/releases/tag/v2022-12-09 https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39380 – wire-webapp contains Improper Handling of Exceptional Conditions leading to a DoS via Markdown Rendering
https://notcve.org/view.php?id=CVE-2022-39380
Wire web-app is part of Wire communications. Versions prior to 2022-11-02 are subject to Improper Handling of Exceptional Conditions. In the wire-webapp, certain combinations of Markdown formatting can trigger an unhandled error in the conversion to HTML representation. The error makes it impossible to display the affected chat history, other conversations are not affected. The issue has been fixed in version 2022-11-02 and is already deployed on all Wire managed services. • https://github.com/wireapp/wire-webapp/security/advisories/GHSA-v5mf-358q-w7m4 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-43673
https://notcve.org/view.php?id=CVE-2022-43673
Wire through 3.22.3993 on Windows advertises deletion of sent messages; nonetheless, all messages can be retrieved (for a limited period of time) from the AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb database. La conexión hasta 3.22.3993 en Windows anuncia la eliminación de mensajes enviados; no obstante, todos los mensajes se pueden recuperar (por un período de tiempo limitado) de la base de datos AppData\Roaming\Wire\IndexedDB\https_app.wire.com_0.indexeddb.leveldb. • https://wire.com https://www.secuvera.de/advisories/secuvera-SA-2022-01.txt • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31122 – Wire-server vulnerable to Token Recipient Confusion resulting in account impersonation, deletion or malicious account creation
https://notcve.org/view.php?id=CVE-2022-31122
Wire is an encrypted communication and collaboration platform. Versions prior to 2022-07-12/Chart 4.19.0 are subject to Token Recipient Confusion. If an attacker has certain details of SAML IdP metadata, and configures their own SAML on the same backend, the attacker can delete all SAML authenticated accounts of a targeted team, Authenticate as a user of the attacked team and create arbitrary accounts in the context of the team if it is not managed by SCIM. This issue is fixed in wire-server 2022-07-12 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-07-12/Chart 4.19.0, so that their backends are no longer affected. • https://github.com/wireapp/wire-server/security/advisories/GHSA-gq27-gmgq-fmxw • CWE-287: Improper Authentication CWE-1270: Generation of Incorrect Security Tokens •