Cybersecurity researchers have disclosed new safety vulnerabilities within the Etherpad textual content editor (model 1.8.13) that might doubtlessly allow attackers to hijack administrator accounts, execute system instructions, and even steal delicate paperwork.
The 2 flaws — tracked as CVE-2021-34816 and CVE-2021-34817 — had been found and reported on June 4 by researchers from SonarSource, following which patches have been shipped for the latter inof Etherpad launched on July 4.
Etherpad is a real-time collaborative interface that allows a doc to be edited concurrently by a number of authors. It’s an open-source various to Google Docs that may be hosted by yourself servers.
“The XSS vulnerability permits attackers to take over Etherpad customers, together with admins. This can be utilized to steal or manipulate delicate knowledge,” SonarSource vulnerability researcher Paul Gerstein a report shared with The Hacker Information.
“The argument injection vulnerability permits attackers to execute arbitrary code on the server, which might enable [them] to steal, modify or delete all knowledge, or to focus on different inner techniques which are reachable from the server.”
CVE-2021-34816, however, pertains to how Etherpad manages plugins, whereby the identify of the package deal to be put in by way of the “” command isn’t adequately sanitized, resulting in a state of affairs that might enable an attacker to “specify a malicious package deal from the NPM repository or to easily use a URL that factors to a package deal on the attacker’s server.”
The consequence of profitable exploitation of CVE-2021-34816 is the execution of arbitrary code and system instructions, thus fully compromising the Etherpad occasion and its knowledge.
Concerningly, each vulnerabilities could be chained collectively by an attacker first to take over an administrator account after which use these privileges to achieve a shell and execute malicious code on the server.
“Mounted a persistent XSS vulnerability within the Chat part,” Etherpad maintainers stated within the launch notes for model 1.8.14. “In case you may’t replace to 1.8.14 straight, we strongly suggest to cherry-pick [commit].” It is price stating that the argument injection vulnerability stays unpatched, though the researchers word that the flaw is “considerably tougher to take advantage of by itself.”
The analysis highlights “how vital knowledge validation and sanitization is for avoiding such flaws throughout improvement,” Gerste stated, including, “the smallest coding mistake could be the primary stepping stone for an attacker to launch additional assaults towards the software program.”
Etherpad customers are extremely suggested to replace their installations to model 1.8.14 to mitigate the danger related to the flaw.