CVE-2022-29168
📋 TL;DR
Wire secure messaging application is vulnerable to cross-site scripting (XSS) via insufficient escaping of @mentions. This allows attackers to inject and execute arbitrary HTML/JavaScript in victims' browsers, potentially leading to full account takeover. Affects Wire web applications and desktop clients connected to vulnerable webapp instances.
💻 Affected Systems
- wire-webapp
- wire-desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account compromise allowing attacker to read all messages, send messages as the victim, access contacts, and potentially pivot to other systems.
Likely Case
Session hijacking, message interception, and unauthorized access to private conversations.
If Mitigated
Limited impact if proper network segmentation and least privilege access are implemented.
🎯 Exploit Status
Requires sending malicious message to victim, but XSS exploitation is well-understood and tools exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: wire-webapp 2022-05-04-production.0 or wire-server 2022-05-04 (chart/4.11.0)
Vendor Advisory: https://github.com/wireapp/wire-webapp/security/advisories/GHSA-jgv3-4j56-fvh6
Restart Required: Yes
Instructions:
1. Update wire-webapp to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or later. 2. For on-premise deployments, update wire-server to 2022-05-04 (chart/4.11.0) or later. 3. Restart all affected services.
🧯 If You Can't Patch
- Disable @mentions functionality if possible
- Implement strict Content Security Policy (CSP) headers to limit script execution
🔍 How to Verify
Check if Vulnerable:
Check wire-webapp version - if before 2022-05-04-production.0, vulnerable.Check Version:
docker images | grep wire-webapp or check deployment configurationVerify Fix Applied:
Confirm version is 2022-05-04-production.0 or later, and test @mentions functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual @mention patterns
- Multiple failed login attempts from same user
- Messages with suspicious HTML/JavaScript content
Network Indicators:
- Unexpected outbound connections from Wire clients
- Unusual message sending patterns
SIEM Query:
source="wire" AND (message="@mention" OR message CONTAINS "<script>" OR message CONTAINS "javascript:")