Cybersecurity researchers from SonarSource have discovered new security vulnerabilities in the Etherpad text editor (version 1.8.13) that could enable attackers to hijack administrator accounts, execute system commands, and steal sensitive documents.
The two flaws — CVE-2021-34816 and CVE-2021-34817 — were discovered and reported on June 4th, following which multiple patches have been shipped in version 1.8.14 of Etherpad released on July 4.
Etherpad is a real-time collaborative interface that enables a document to be edited simultaneously by multiple authors. It is an open-source alternative to Google Docs that can be self-hosted or used through one of the many third-party public instances available.
"The XSS vulnerability allows attackers to take over Etherpad users, including admins. This can be used to steal or manipulate sensitive data," SonarSource vulnerability researcher Paul Gerste said in a report shared with The Hacker News.
"The argument injection vulnerability allows attackers to execute arbitrary code on the server, which would allow [them] to steal, modify or delete all data, or to target other internal systems that are reachable from the server."
The XSS vulnerability (CVE-2021-34817) was located in the chat feature offered by Etherpad, with the "userId" property of a chat message, which is a unique identifier associated with a document author, rendered on the front-end without properly escaping special characters, thus permitting an adversary to insert a malicious JavaScript payload into the chat history and perform actions as a victim user.
CVE-2021-34816 relates to how Etherpad manages plugins, wherein the name of the package to be installed via the "npm install" command is not adequately sanitized, leading to a scenario that could allow an attacker to "specify a malicious package from the NPM repository or to simply use a URL that points to a package on the attacker's server."
Etherpad users are highly advised to update their installations to version 1.8.14 to mitigate the risk associated with the flaw.