Cybersecurity researchers have disclosed new security vulnerabilities in the Etherpad textual content editor (model 1.8.13) that could perhaps enable attackers to hijack administrator accounts, execute program instructions, and even steal sensitive paperwork.
The two flaws — tracked as CVE-2021-34816 and CVE-2021-34817 — have been found out and claimed on June 4 by scientists from SonarSource, following which patches have been delivered for the latter in edition 1.8.14 of Etherpad unveiled on July 4.
Etherpad is a real-time collaborative interface that permits a doc to be edited simultaneously by several authors. It is an open up-supply alternate to Google Docs that can be hosted on your very own servers.
“The XSS vulnerability permits attackers to get above Etherpad end users, like admins. This can be utilised to steal or manipulate delicate knowledge,” SonarSource vulnerability researcher Paul Gerste explained in a report shared with The Hacker News.
“The argument injection vulnerability enables attackers to execute arbitrary code on the server, which would permit [them] to steal, modify or delete all facts, or to goal other inner methods that are reachable from the server.”
Particularly, the XSS vulnerability (CVE-2021-34817) resides in the chat aspect provided by Etherpad, with the “userId” home of a chat concept — i.e., a unique identifier affiliated with a document creator — rendered on the entrance-stop with out correctly escaping distinctive figures, hence allowing an adversary to insert a malicious JavaScript payload into the chat background and execute actions as a target person.
CVE-2021-34816, on the other hand, relates to how Etherpad manages plugins, wherein the title of the offer to be put in by using the “npm put in” command is not sufficiently sanitized, major to a scenario that could permit an attacker to “specify a malicious offer from the NPM repository or to only use a URL that factors to a package on the attacker’s server.”
The consequence of productive exploitation of CVE-2021-34816 is the execution of arbitrary code and method commands, consequently fully compromising the Etherpad occasion and its info.
Concerningly, the two vulnerabilities can be chained alongside one another by an attacker first to choose in excess of an administrator account and then use those people privileges to gain a shell and execute destructive code on the server.
“Fixed a persistent XSS vulnerability in the Chat part,” Etherpad maintainers mentioned in the release notes for model 1.8.14. “In circumstance you can’t update to 1.8.14 straight, we strongly suggest to cherry-select [commit] a796811.” It’s value pointing out that the argument injection vulnerability stays unpatched, despite the fact that the scientists take note that the flaw is “drastically more challenging to exploit on its own.”
The investigation highlights “how crucial information validation and sanitization is for preventing these kinds of flaws in the course of development,” Gerste reported, adding, “the smallest coding slip-up can be the initial stepping stone for an attacker to launch additional assaults towards the application.”
Etherpad customers are really encouraged to update their installations to model 1.8.14 to mitigate the risk related with the flaw.
Found this article intriguing? Adhere to THN on Fb, Twitter and LinkedIn to read through extra unique written content we post.
Some parts of this article are sourced from:
thehackernews.com