Security News > 2021 > July > Critical Flaws Reported in Etherpad — a Popular Google Docs Alternative

Critical Flaws Reported in Etherpad — a Popular Google Docs Alternative
2021-07-13 20:19

Cybersecurity researchers have disclosed new security vulnerabilities in the Etherpad text editor that could potentially enable attackers to hijack administrator accounts, execute system commands, and even steal sensitive documents.

The two flaws - tracked as CVE-2021-34816 and CVE-2021-34817 - were discovered and reported on June 4 by researchers from SonarSource, following which patches have been shipped for the latter in version 1.8.14 of Etherpad released on July 4.

"The XSS vulnerability allows attackers to take over Etherpad users, including admins. This can be used to steal or manipulate sensitive data," SonarSource vulnerability researcher Paul Gerste said in a report shared with The Hacker News.

CVE-2021-34816, on the other hand, relates to how Etherpad manages plugins, wherein the name of the package to be installed via the "Npm install" command is not adequately sanitized, leading to a scenario that could allow an attacker to "Specify a malicious package from the NPM repository or to simply use a URL that points to a package on the attacker's server."

"Fixed a persistent XSS vulnerability in the Chat component," Etherpad maintainers said in the release notes for version 1.8.14.

The research highlights "How important data validation and sanitization is for avoiding such flaws during development," Gerste said, adding, "The smallest coding mistake can be the first stepping stone for an attacker to launch further attacks against the software."


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/5t1VnK2mtjQ/critical-flaws-reported-in-etherpad.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-07-21 CVE-2021-34816 Argument Injection or Modification vulnerability in Etherpad 1.8.13
An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source.
network
low complexity
etherpad CWE-88
7.2
2021-07-19 CVE-2021-34817 Cross-site Scripting vulnerability in Etherpad 1.8.13
A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad.
network
low complexity
etherpad CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995
Etherpad 3 0 4 12 3 19