Cybersecurity researchers have disclosed new stability vulnerabilities in the Etherpad text editor (version 1.8.13) that could probably help attackers to hijack administrator accounts, execute method commands, and even steal sensitive paperwork.
The two flaws — tracked as CVE-2021-34816 and CVE-2021-34817 — had been identified and reported on June 4 by scientists from SonarSource, adhering to which patches have been delivered for the latter in edition 1.8.14 of Etherpad unveiled on July 4.
Etherpad is a genuine-time collaborative interface that enables a doc to be edited simultaneously by numerous authors. It is an open up-source alternate to Google Docs that can be hosted on your personal servers.
“The XSS vulnerability makes it possible for attackers to consider more than Etherpad users, which includes admins. This can be utilized to steal or manipulate sensitive knowledge,” SonarSource vulnerability researcher Paul Gerste explained in a report shared with The Hacker News.
“The argument injection vulnerability will allow attackers to execute arbitrary code on the server, which would allow [them] to steal, modify or delete all information, or to focus on other internal programs that are reachable from the server.”
CVE-2021-34816, on the other hand, relates to how Etherpad manages plugins, whereby the identify of the offer to be mounted by using the “npm set up” command is not adequately sanitized, foremost to a scenario that could make it possible for an attacker to “specify a destructive package from the NPM repository or to simply use a URL that factors to a bundle on the attacker’s server.”
The consequence of productive exploitation of CVE-2021-34816 is the execution of arbitrary code and procedure commands, thus totally compromising the Etherpad occasion and its facts.
Concerningly, both equally vulnerabilities can be chained together by an attacker 1st to acquire above an administrator account and then use all those privileges to get a shell and execute malicious code on the server.
“Fastened a persistent XSS vulnerability in the Chat part,” Etherpad maintainers claimed in the launch notes for edition 1.8.14. “In scenario you are not able to update to 1.8.14 straight, we strongly suggest to cherry-pick [commit] a796811.” It’s worthy of pointing out that the argument injection vulnerability remains unpatched, even though the researchers take note that the flaw is “drastically harder to exploit on its have.”
The exploration highlights “how crucial knowledge validation and sanitization is for steering clear of this kind of flaws through enhancement,” Gerste reported, adding, “the smallest coding slip-up can be the initially stepping stone for an attacker to launch more attacks versus the program.”
Etherpad end users are hugely encouraged to update their installations to variation 1.8.14 to mitigate the possibility involved with the flaw.