Sign-up

ID

VAR-202109-1208


CVE

CVE-2021-41101


TITLE

wire-server  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-012355

DESCRIPTION

wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS ` Access-Control-Allow-Origin ` header set by `nginz` is set for all subdomains of `.wire.com` (including `wire.com`). This means that if somebody were to find an XSS vector in any of the subdomains, they could use it to talk to the Wire API using the user's Cookie. A patch does not exist, but a workaround does. To make sure that a compromise of one subdomain does not yield access to the cookie of another, one may limit the `Access-Control-Allow-Origin` header to apps that actually require the cookie (account-pages, team-settings and the webapp). wire-server Exists in a cross-site scripting vulnerability.Information may be obtained

Trust: 1.71

sources: NVD: CVE-2021-41101 // JVNDB: JVNDB-2021-012355 // VULMON: CVE-2021-41101

AFFECTED PRODUCTS

vendor:wiremodel:serverscope:ltversion:2.106.0

Trust: 1.0

vendor:wire swissmodel:wire-serverscope:eqversion: -

Trust: 0.8

vendor:wire swissmodel:wire-serverscope:eqversion:2.106.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-012355 // NVD: CVE-2021-41101

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-41101
value: LOW

Trust: 1.0

security-advisories@github.com: CVE-2021-41101
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-41101
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202109-1949
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-41101
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

security-advisories@github.com: CVE-2021-41101
baseSeverity: MEDIUM
baseScore: 5.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.1
impactScore: 3.6
version: 3.1

Trust: 1.0

OTHER: JVNDB-2021-012355
baseSeverity: MEDIUM
baseScore: 5.7
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-012355 // CNNVD: CNNVD-202109-1949 // NVD: CVE-2021-41101 // NVD: CVE-2021-41101

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-012355 // NVD: CVE-2021-41101

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202109-1949

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202109-1949

PATCH

title:CORS `Access-Control-Allow-Origin` settings are too lenienturl:https://github.com/wireapp/wire-server/security/advisories/GHSA-v7xx-cx8m-g66p

Trust: 0.8

title:Wire Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=164557

Trust: 0.6

sources: JVNDB: JVNDB-2021-012355 // CNNVD: CNNVD-202109-1949

EXTERNAL IDS

db:NVDid:CVE-2021-41101

Trust: 3.3

db:JVNDBid:JVNDB-2021-012355

Trust: 0.8

db:CS-HELPid:SB2021100109

Trust: 0.6

db:CNNVDid:CNNVD-202109-1949

Trust: 0.6

db:VULMONid:CVE-2021-41101

Trust: 0.1

sources: VULMON: CVE-2021-41101 // JVNDB: JVNDB-2021-012355 // CNNVD: CNNVD-202109-1949 // NVD: CVE-2021-41101

REFERENCES

url:https://github.com/wireapp/wire-server/security/advisories/ghsa-v7xx-cx8m-g66p

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-41101

Trust: 1.4

url:https://www.cybersecurity-help.cz/vdb/sb2021100109

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2021-41101 // JVNDB: JVNDB-2021-012355 // CNNVD: CNNVD-202109-1949 // NVD: CVE-2021-41101

SOURCES

db:VULMONid:CVE-2021-41101
db:JVNDBid:JVNDB-2021-012355
db:CNNVDid:CNNVD-202109-1949
db:NVDid:CVE-2021-41101

LAST UPDATE DATE

2024-11-23T21:58:40.107000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2021-41101date:2021-10-01T00:00:00
db:JVNDBid:JVNDB-2021-012355date:2022-08-30T03:22:00
db:CNNVDid:CNNVD-202109-1949date:2021-10-11T00:00:00
db:NVDid:CVE-2021-41101date:2024-11-21T06:25:28.277

SOURCES RELEASE DATE

db:VULMONid:CVE-2021-41101date:2021-09-30T00:00:00
db:JVNDBid:JVNDB-2021-012355date:2022-08-30T00:00:00
db:CNNVDid:CNNVD-202109-1949date:2021-09-30T00:00:00
db:NVDid:CVE-2021-41101date:2021-09-30T20:15:07.587