Sebastian-Wire

**Name of the Vulnerable Software and Affected Versions** Wire-server versions prior to 2021-08-16 **Description** The issue allows an attacker to trigger an email address change of a user with only the short-lived session token in the `Authorization` header, constituting a privilege escalation attack. This can result in an account takeover by the attacker, as they can change the password after setting the email address to one they control. The short-lived tokens are used more often and in the shape of an HTTP header, increasing the risk of exposure to an attacker. If you are running an on-prem instance and provision all users with SCIM, you are not affected by this issue. SAML single-sign-on is unaffected by this issue. The vulnerable endpoint is `/self/email`, which only accepts `PUT` and `DELETE` requests. **Recommendations** For versions prior to 2021-08-16, update to version 2021-08-16 or later, which provides a new endpoint that requires both the long-lived client cookie and `Authorization` header. As a temporary workaround for on-prem instances that cannot be updated and have at least some users invited or provisioned via SAML SSO, block the `/self/email` endpoint on nginz or in any other proxies or firewalls.

**Name of the Vulnerable Software and Affected Versions** wire-server versions prior to 2.106.0 **Description** The issue concerns the CORS `Access-Control-Allow-Origin` header set by `nginz` for all subdomains of `.wire.com`, including `wire.com`. This configuration allows an attacker to exploit an XSS vector in any subdomain to access the Wire API using the user's Cookie. **Recommendations** To mitigate the issue, limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie, such as account-pages, team-settings, and the webapp. At the moment, there is no information about a newer version that contains a fix for this vulnerability.