CVE-2022-29168

Name of the Vulnerable Software and Affected Versions Wire versions prior to 2022-05-04-production.0 Wire-server versions prior to 2022-05-04 (chart/4.11.0)

Description The issue concerns arbitrary HTML and Javascript execution via insufficient escaping when rendering @mentions in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim, allowing the attacker to fully control the user account. Wire-desktop clients connected to a vulnerable wire-webapp version are also vulnerable to this attack.

Recommendations For wire-webapp versions prior to 2022-05-04-production.0, update to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or later. For wire-server versions prior to 2022-05-04 (chart/4.11.0), update to version 2022-05-04 (chart/4.11.0) or later. As a temporary workaround, consider disabling the rendering of @mentions in the wire-webapp until a patch is available.