CVE-2021-21400

Entering code in App Lock modal sends input to conversation

Description

wire-webapp is an open-source front end for Wire, a secure collaboration platform. In wire-webapp before version 2021-03-15-production.0, when being prompted to enter the app-lock passphrase, the typed passphrase will be sent into the most recently used chat when the user does not actively give focus to the input field. Input element focus is enforced programatically in version 2021-03-15-production.0.

Category

7.1
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.42%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: wireapp wire-webapp
Published at:
Updated at:

References

Link Tags
https://github.com/wireapp/wire-webapp/security/advisories/GHSA-cxwr-f2j3-q8hp third party advisory
https://github.com/wireapp/wire-webapp/pull/10704 third party advisory patch
https://github.com/wireapp/wire-webapp/releases/tag/2021-03-15-production.0 third party advisory release notes
https://github.com/wireapp/wire-webapp/commit/281f2a9d795f68abe423c116d5da4e1e73a60062 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-21400?
CVE-2021-21400 has been scored as a high severity vulnerability.
How to fix CVE-2021-21400?
To fix CVE-2021-21400, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21400 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-21400 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21400?
CVE-2021-21400 affects wireapp wire-webapp.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.