Filtered by vendor Wire
Subscribe
Total
28 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-32666 | 1 Wire | 1 Wire | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| wire-ios is the iOS version of Wire, an open-source secure messaging app. In wire-ios versions 3.8.0 and prior, a vulnerability exists that can cause a denial of service between users. If a user has an invalid assetID for their profile picture and it contains the " character, it will cause the iOS client to crash. The vulnerability is patched in wire-ios version 3.8.1. | |||||
| CVE-2021-32683 | 1 Wire | 1 Wire-webapp | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| wire-webapp is the web version of Wire, an open-source messenger. A cross-site scripting vulnerability exists in wire-webapp prior to version 2021-06-01-production.0. If a user is instructed to open an image in a new tab (right click -> open in new tab, or copy the URL and paste it in the URL bar), an the image payload is executed on the domain hosting the app (app.wire.com). In particular, if an image contains malicious code in addition to the actual picture, this code is executed on app.wire.com. This allows the attacker to fully control the user account. The vulnerability was patched in version 2021-06-01-production.0. As a workaround, users should not try to open image URLs. | |||||
| CVE-2021-21400 | 1 Wire | 1 Wire-webapp | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
| wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0. | |||||
| CVE-2021-32755 | 2 Apple, Wire | 2 Iphone Os, Wire | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Wire is a collaboration platform. wire-ios-transport handles authentication of requests, network failures, and retries for the iOS implementation of Wire. In the 3.82 version of the iOS application, a new web socket implementation was introduced for users running iOS 13 or higher. This new websocket implementation is not configured to enforce certificate pinning when available. Certificate pinning for the new websocket is enforced in version 3.84 or above. | |||||
| CVE-2021-21301 | 1 Wire | 1 Wire | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| Wire is an open-source collaboration platform. In Wire for iOS (iPhone and iPad) before version 3.75 there is a vulnerability where the video capture isn't stopped in a scenario where a user first has their camera enabled and then disables it. It's a privacy issue because video is streamed to the call when the user believes it is disabled. It impacts all users in video calls. This is fixed in version 3.75. | |||||
| CVE-2020-15258 | 1 Wire | 1 Wire | 2024-02-28 | 6.0 MEDIUM | 8.0 HIGH |
| In Wire before 3.20.x, `shell.openExternal` was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The issue was patched by implementing a helper function which checks if the URL's protocol is common. If it is common, the URL will be opened externally. If not, the URL will not be opened and a warning appears for the user informing them that a probably insecure URL was blocked from being executed. The issue is patched in Wire 3.20.x. More technical details about exploitation are available in the linked advisory. | |||||
| CVE-2020-27853 | 1 Wire | 3 Wire, Wire - Audio\, Video\, And Signaling, Wire Secure Messenger | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Wire before 2020-10-16 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a format string. This affects Wire AVS (Audio, Video, and Signaling) 5.3 through 6.x before 6.4, the Wire Secure Messenger application before 3.49.918 for Android, and the Wire Secure Messenger application before 3.61 for iOS. This occurs via the value parameter to sdp_media_set_lattr in peerflow/sdp.c. | |||||
| CVE-2018-8909 | 1 Wire | 1 Wire | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| The Wire application before 2018-03-07 for Android allows attackers to write to pathnames outside of the downloads directory via a ../ in a filename of a received file, related to AssetService.scala. | |||||