Vulnerability Details : CVE-2022-29168
Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient escaping when rendering `@mentions` in the wire-webapp. If a user receives and views a malicious message, arbitrary code is injected and executed in the context of the victim allowing the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-05-04-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-05-04-production.0-v0.29.7-0-a6f2ded or wire-server 2022-05-04 (chart/4.11.0) or later. No known workarounds exist.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-29168
- cpe:2.3:a:wire:wire-webapp:2019-02-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-11:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-11:staging2:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-28:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-13:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-25:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-28:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-23:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-31:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-07-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-07-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-22:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-08-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-17:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-23:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-09-24:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-07:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-10:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:production1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-16:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-10-31:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-01:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-11-26:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-12-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-12-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-06:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-13:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-01-22:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-11:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-11:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-14:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-02-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-03:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-15:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-24:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-06-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-20:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-24:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-24:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-12:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-08-26:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-02:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-11:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-09-29:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-08:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-21:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-14:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-07:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-05-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-29:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-23:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-16:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-04-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-23:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-03-12:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-07-07:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-21:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-10-28:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-11-09:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-11-30:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-11-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-12-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2020-12-14:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-01-18:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-01-18:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-01-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-17:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-22:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-02-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-04:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-05:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-15:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-07-29-17-00:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-04-15-44:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-23-09-31:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-24-10-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-29-14-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-09-08-15-38:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-09-19-14-01:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-09-28-14-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-11-15-34:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-18-08-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-25-08-17:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-26-18-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-11-03-16-09:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-11-08-15-06:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-12-01-12-57:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-12-13-15-12:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-01-23-12-12:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-02-01-14-49:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-02-17-10-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-02-24-13-06:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-08-17-32:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-14-15-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-21-11-00:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-27-17-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-28-14-23:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-05-16-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-07-09-42:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-19-12-31:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-20-15-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-03-10-29:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-19-16-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-26-08-16:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-26-12-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-01-10-02:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-07-15-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-07-18-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-22-12-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-28-15-13:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-07-06-12-44:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-07-06-15-48:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-07-18-12-50:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-08-03-15-19:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-08-04-09-04:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-08-04-15-01:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-08-08-15-09:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-08-24-10-57:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-08-31-14-21:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-09-26-07-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-09-26-13-00:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-10-09-08-42:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-10-19-10-45:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-10-25-07-08:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-11-07-08-50:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-11-10-10-41:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-12-04-10-23:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-12-04-13-34:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-12-07-11-13:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-12-20-12-48:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-01-24-18-11:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-02-01-10-26:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-02-16-07-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-03-12-11-41:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-06-07-28:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-06-09-44:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-09-10-16:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-12-06-45:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-12-11-12:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-12-13-37:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-04-24-14-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-05-04-07-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-05-24-15-49:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-06-19-08-04:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-07-03-08-25:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-07-16-08-55:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-07-16-14-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-07-26-08-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-08-06-08-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-08-22-07-38:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-08-31-06-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-09-07-14-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-09-28-11-46:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-10-02-08-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-10-15-08-14:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-10-23-12-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-11-05-11-21:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-11-15-13-14:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-11-30-11-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-12-03-11-26:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2018-12-04-14-24:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-01-02-13-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-01-08-13-20:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-01-17-15-08:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-18-11-26:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-28-15-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-02-28-15-11:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-14-11-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-18-12-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-03-29-09-38:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-10-10-55:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-04-23-10-51:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-09-09-36:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-16:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-16-09-26:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-05-31-08-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-06-06-12-31:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-07-02-12-29:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2019-07-11-13-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-24:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-03-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-04-01:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-04-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-04-15:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-04-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-04-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-05-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-05-10:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-05-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-06-01:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-06-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-07-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-07-26:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-07-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-04:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-25:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-30:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-08-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-06:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-06:staging1:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-06:staging2:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-06:staging3:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-08:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-09:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-10:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-13:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-22:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-27:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-09-30:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-10-02:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-10-04:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-10-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-10-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-10-27:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-11-01:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-11-25:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-12-01:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-12-01:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2021-12-02:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-01-18:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-01-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-01-20:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-01-27:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-02:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-03:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-07:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-08:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-15:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-17:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-02-22:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-03-23:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-03-28:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-03-29:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-04-21:production0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-04-13:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-04-19:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-03-31:staging0:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2022-03-30:production0:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29168
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29168
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
9.6
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
2.8
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2022-29168
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-29168
-
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-jgv3-4j56-fvh6
Cross Site Scripting in Wire Messages · Advisory · wireapp/wire-webapp · GitHubThird Party Advisory
Jump to