Security News > 2021 > July > Critical Flaws Reported in Etherpad — a Popular Google Docs Alternative

Cybersecurity researchers have disclosed new security vulnerabilities in the Etherpad text editor that could potentially enable attackers to hijack administrator accounts, execute system commands, and even steal sensitive documents.

The two flaws - tracked as CVE-2021-34816 and CVE-2021-34817 - were discovered and reported on June 4 by researchers from SonarSource, following which patches have been shipped for the latter in version 1.8.14 of Etherpad released on July 4.

"The XSS vulnerability allows attackers to take over Etherpad users, including admins. This can be used to steal or manipulate sensitive data," SonarSource vulnerability researcher Paul Gerste said in a report shared with The Hacker News.

CVE-2021-34816, on the other hand, relates to how Etherpad manages plugins, wherein the name of the package to be installed via the "Npm install" command is not adequately sanitized, leading to a scenario that could allow an attacker to "Specify a malicious package from the NPM repository or to simply use a URL that points to a package on the attacker's server."

"Fixed a persistent XSS vulnerability in the Chat component," Etherpad maintainers said in the release notes for version 1.8.14.

The research highlights "How important data validation and sanitization is for avoiding such flaws during development," Gerste said, adding, "The smallest coding mistake can be the first stepping stone for an attacker to launch further attacks against the software."

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/5t1VnK2mtjQ/critical-flaws-reported-in-etherpad.html