Wire wire-webapp 2022-02-03 Staging0
Approved changes feed: RSS · Atom
cpe:2.3:a:wire:wire-webapp:2022-02-03:staging0:*:*:*:*:*:*
part: a version: 2022-02-03 update: staging0
| Vendor | Wire (b242ea1e-cceb-5996-8a95-4e04b0582e80) |
|---|---|
| Product | Wire Webapp (68c00953-b3f7-5c62-adbb-dfc7f33e975d) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/wireapp/wire-webapp |
purl2cpe | 2026-06-01 10:13:02.512050 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2022-29168 |
vulnerable | 2026-06-08 05:42:47.250443 |
Cross Site Scripting in Wire Messages
CRITICAL (9.6)
Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowing the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-05-04-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or wire-server 2022-05-04 (chart/4.11.0) or later. No known workarounds exist.
Published: 2022-06-25T07:05:09.000Z
Updated: 2025-04-23T18:08:54.718Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-24799 |
vulnerable | 2026-06-08 05:41:01.710106 |
Cross Site Scripting in Wire Webapp
CRITICAL (9.6)
wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** and is already deployed on all Wire managed services. * On-premise instances of wire-webapp need to be updated to docker tag **2022-03-30-production.0-v0.29.2-0-d144552** or wire-server **2022-03-30 (chart/4.8.0)**, so that their applications are no longer affected. ### Workarounds * No workarounds known ### For more information If you have any questions or comments about this advisory feel free to email us at [vulnerability-report@wire.com](mailto:vulnerability-report@wire.com) ### Credits We thank [Posix](https://twitter.com/po6ix) for reporting this vulnerability
Published: 2022-04-20T17:55:09.000Z
Updated: 2025-04-23T18:33:44.537Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.