Impact
The CORS Access-Control-Allow-Origin header set by nginz is set for all subdomains of .wire.com (including wire.com). This means that if somebody were to find an XSS vector in any of our subdomains, they could use it to talk to the Wire API using the user's Cookie. To make sure that a compromise of say xyz.wire.com does not yield access to the cookie of prod-nginz-https.wire.com we should only limit the Access-Control-Allow-Origin header to apps that actually require the cookie.
As far as I know those are: account-pages, team-settings and the webapp
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
arianvp Analyst
Impact
The CORS
Access-Control-Allow-Originheader set bynginzis set for all subdomains of.wire.com(includingwire.com). This means that if somebody were to find an XSS vector in any of our subdomains, they could use it to talk to the Wire API using the user's Cookie. To make sure that a compromise of sayxyz.wire.comdoes not yield access to the cookie ofprod-nginz-https.wire.comwe should only limit theAccess-Control-Allow-Originheader to apps that actually require the cookie.As far as I know those are: account-pages, team-settings and the webapp
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: