Arianvp

**Name of the Vulnerable Software and Affected Versions** wire-server versions prior to 2.106.0 **Description** The issue concerns the CORS `Access-Control-Allow-Origin` header set by `nginz` for all subdomains of `.wire.com`, including `wire.com`. This configuration allows an attacker to exploit an XSS vector in any subdomain to access the Wire API using the user's Cookie. **Recommendations** To mitigate the issue, limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie, such as account-pages, team-settings, and the webapp. At the moment, there is no information about a newer version that contains a fix for this vulnerability.