CVE-2022-24799
CVE-2022-24799 is a critical-severity vulnerability in Wire Wire-webapp with a CVSS 3.x base score of 9.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.
Key facts
- Severity: Critical (CVSS 3.x base score 9.6)
- CVSS v2: 4.3
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-79
- Affected product: Wire Wire-webapp
- Published:
- Last modified:
Description
wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** and is already deployed on all Wire managed services. * On-premise instances of wire-webapp need to be updated to docker tag **2022-03-30-production.0-v0.29.2-0-d144552** or wire-server **2022-03-30 (chart/4.8.0)**, so that their applications are no longer affected. ### Workarounds * No workarounds known ### For more information If you have any questions or comments about this advisory feel free to email us at [[email protected]](mailto:[email protected]) ### Credits We thank [Posix](https://twitter.com/po6ix) for reporting this vulnerability
Frequently asked questions
- What is CVE-2022-24799?
- wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** and is already deployed on all Wire managed services. * On-premise instances of wire-webapp need to be updated to docker tag **2022-03-30-production.0-v0.29.2-0-d144552** or wire-server **2022-03-30 (chart/4.8.0)**, so that their applications are no longer affected. ### Workarounds * No workarounds known ### For more information If you have any questions or comments about this advisory feel free to email us at [[email protected]](mailto:[email protected]) ### Credits We thank [Posix](https://twitter.com/po6ix) for reporting this vulnerability
- How severe is CVE-2022-24799?
- CVE-2022-24799 has a CVSS 3.x base score of 9.6, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-24799 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-24799?
- CVE-2022-24799 primarily affects Wire Wire-webapp. In total, 362 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-24799?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2022-24799 published?
- CVE-2022-24799 was published on 2022-04-20 and last updated on 2026-06-17.
References
- https://github.com/wireapp/wire-webapp/commit/d14455252a949dc83f36d45e2babbdd9328af2a4
- https://github.com/wireapp/wire-webapp/releases/tag/2022-03-30-production.0
- https://github.com/wireapp/wire-webapp/security/advisories/GHSA-5568-rfh8-vmhq
Affected products (362)
- cpe:2.3:a:wire:wire-webapp:2016-07-29-17-00:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-04-15-44:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-23-09-31:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-24-10-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-08-29-14-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-09-08-15-38:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-09-19-14-01:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-09-28-14-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-11-15-34:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-18-08-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-25-08-17:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-10-26-18-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-11-03-16-09:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-11-08-15-06:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-12-01-12-57:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2016-12-13-15-12:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-01-23-12-12:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-02-01-14-49:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-02-17-10-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-02-24-13-06:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-08-17-32:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-14-15-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-21-11-00:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-27-17-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-03-28-14-23:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-05-16-58:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-07-09-42:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-19-12-31:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-04-20-15-54:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-03-10-29:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-19-16-10:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-26-08-16:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-05-26-12-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-01-10-02:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-07-15-03:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-07-18-05:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-22-12-18:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-06-28-15-13:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-07-06-12-44:*:*:*:*:*:*:*
- cpe:2.3:a:wire:wire-webapp:2017-07-06-15-48:*:*:*:*:*:*:*
More vulnerabilities in Wire Wire-webapp
- CVE-2022-29168 — Critical (CVSS 9.6): Wire is a secure messaging application. Wire is vulnerable to arbitrary HTML and Javascript execution via insufficient…
- CVE-2021-32683 — High (CVSS 8.8): wire-webapp is the web version of Wire, an open-source messenger. A cross-site scripting vulnerability exists in…
- CVE-2021-21400 — High (CVSS 7.1): wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version…
- CVE-2025-48066 — Medium (CVSS 6.0): wire-webapp is the web application for the open-source messaging service Wire. A bug fix caused a regression causing an…
- CVE-2022-39380 — Medium (CVSS 5.3): Wire web-app is part of Wire communications. Versions prior to 2022-11-02 are subject to Improper Handling of…
- CVE-2022-23605 — Medium (CVSS 4.4): Wire webapp is a web client for the wire messaging protocol. In versions prior to 2022-01-27-production.0 expired…
All CVEs affecting Wire Wire-webapp →
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →