Security News > 2021 > July > Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft
Researchers discovered two vulnerabilities in Etherpad, an open-source collaborative real-time editor that allows multiple authors to simultaneously edit a text document.
The second flaw is an argument injection vulnerability that allows an attacker to execute arbitrary code and system commands to fully compromise the Etherpad instance and its data.
If one exists, the two vulnerabilities can be chained by the attacker to first compromise an admin and then to use the admin privileges to execute arbitrary code on the server.
The flaws were reported by the SonarSource researchers to Etherpad on April 6, 2021 and confirmed by Etherpad on the same day.
The XSS flaw was fixed by April 8, 2021 and released within Etherpad version 1.8.14 on July 4, 2021.
The researchers believe that the vulnerabilities may have been present within Etherpad since at least version 1.7.0.