CVE-2024-45803

Name of the Vulnerable Software and Affected Versions: Wire UI versions prior to 1.19.3 Wire UI versions prior to 2.1.3

Description: A potential Cross-Site Scripting (XSS) vulnerability has been identified in the "/wireui/button" endpoint, specifically through the label query parameter. Malicious actors could exploit this vulnerability by injecting JavaScript into the label parameter, leading to the execution of arbitrary code in the victim's browser. The "/wireui/button" endpoint dynamically renders button labels based on user-provided input via the label query parameter. Due to insufficient sanitization or escaping of this input, an attacker can inject malicious JavaScript. If exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the affected website, leading to session hijacking, user impersonation, phishing, or content manipulation.

Recommendations: For versions prior to 1.19.3, upgrade to version 1.19.3 or later. For versions prior to 2.1.3, upgrade to version 2.1.3 or later. As a temporary workaround, consider restricting access to the "/wireui/button" endpoint until a patch is available. Avoid using the label parameter in the affected API endpoint until the issue is resolved.