CVE-2022-24799

Name of the Vulnerable Software and Affected Versions wire-webapp versions prior to 2022-03-30-production.0

Description The issue is related to insufficient escaping in markdown "code highlighting" in the wire-webapp, which allows the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim, allowing the attacker to fully control the user account. Wire-desktop clients connected to a vulnerable wire-webapp version are also vulnerable to this attack.

Recommendations For wire-webapp versions prior to 2022-03-30-production.0, update to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0) to resolve the issue. As a temporary workaround, consider restricting access to the markdown "code highlighting" feature until the update is applied.