De-anonymization via message

MuWire is a file publishing and networking tool that protects the identity of its users by using I2P technology. Users of MuWire desktop client prior to version 0.8.8 can be de-anonymized by an attacker who knows their full ID. An attacker could send a message with a subject line containing a URL with an HTML image tag and the MuWire client would try to fetch that image via clearnet, thus exposing the IP address of the user. The problem is fixed in MuWire 0.8.8. As a workaround, users can disable messaging functionality to prevent other users from sending them malicious messages.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

信息暴露

MuWire 跨站脚本漏洞

MuWire是开源的一个文件发布和网络工具，使用12P技术保护其用户的身份。 MuWire 0.8.8版之前的桌面客户端存在跨站脚本漏洞，当攻击者发送主题行包含带有 HTML 图像标签的 URL 的消息时，MuWire 客户端将尝试通过 clearnet 获取该图像，从而暴露用户的 IP 地址。

N/A

跨站脚本