CVE-2021-21400 HIGH

CVE-2021-21400: Entering code in App Lock modal sends input to conversation

Vendor Wireapp

Product wire-webapp

Weakness CWE-200 · Info exposure

Published April 2, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0.

Key dates

02Disclosure timeline

April 2, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-21400

Related vulnerabilities

04Related CVE

CVE-2024-0620 PPWP – Password Protect Pages <= 1.8.9 - Protection Mechanism Bypass CVE-2023-33960 OpenProject vulnerable to project identifier information leakage through robots.txt CVE-2024-27905 Apache Aurora: padding oracle can allow construction an authentication cookie CVE-2023-50298 Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions CVE-2022-39307 Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password