XSS bug in open source program has now been patched, though second flaw remains

Security vulnerabilities in online text editor Etherpad could allow attackers to remotely compromise a victim's server

Security vulnerabilities in online text editor Etherpad could allow attackers to remotely compromise a victim’s server and steal sensitive information, new research reveals.

A cross-site scripting flaw (XSS) enabled attackers to create a malicious shared document, or ‘pad’, that executes attacker-controlled code in the victim’s browser, allowing assailants to read, create, or modify data.

A second vulnerability, an argument injection bug, allowed attackers with administrative access to execute arbitrary code on the server by installing plugins from a URL that’s under their control.

Read more of the latest news about security vulnerabilities

Both vulnerabilities (CVE-2021-34817 and CVE-2021-34816), which were classed as ‘critical’, could be combined by attackers to compromise a server remotely.

The XSS vulnerability has been fixed in Etherpad version 1.8.14. The argument injection vulnerability is still apparently unpatched, but the researchers who discovered the flaw said it is “significantly harder” to exploit on its own.

Double trouble?

The security issues were discovered by Paul Gerste, vulnerability researcher at SonarSource, a Switzerland-based developer of DevSecOps tools.

A blog post released last night (July 13) states that Etherpad has more 250 plugins available and features a version history as well as a chat functionality.

It is particularly popular within the open source community and has been bookmarked more than 10,000 times by users.

Gerste told The Daily Swig that while the vulnerabilities are serious when chained, there are limitations to their exploitation.

DON’T MISS WAF bypass: ‘Severe’ OWASP ModSecurity Core Rule Set bug was present for several years

“Instances with default configuration are vulnerable,” Gerste said. “The attacker needs to be able to import a pad, so if the Etherpad instance is publicly accessible and pad creation is not restricted, then it is vulnerable.”

He added: “Attackers that already have access to a pad could elevate their privileges by targeting other users.”

Regarding the argument injection vulnerability, this can only be exploited if an admin account exists, which is not the case in a default configuration.

Therefore, an attacker can abuse the vulnerability if they compromise an administrator’s account – which can be achieved either via exploitation of the XSS vulnerability “or by other means”.

One patched, one to go

Gerste said that the maintainers of the project were quick to respond to his report and “took the matter seriously”, although they have only fixed one of the issues so far.

“The fix for the XSS vulnerability was patched two days later,” he explained.

“The argument injection was not easily fixable because of the way Etherpad’s plugin system works.

“Since people can publish plugins via NPM, attackers could always find a way to introduce malicious code, so admins should always be careful which plugins they install.”

YOU MAY ALSO LIKE Firefox becomes latest browser to support Fetch Metadata request headers