Connect with us

Hi, what are you looking for?


Data Protection

Vulnerabilities in Etherpad Collaboration Tool Allow Data Theft

XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool

XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool

Researchers discovered two vulnerabilities in Etherpad, an open-source collaborative real-time editor that allows multiple authors to simultaneously edit a text document. The vulnerabilities can lead to theft or manipulation of documents being edited; and to theft, modification or deletion of all data, and to targeting other internal systems that are reachable from the server.

Etherpad has thousands of deployments worldwide, and millions of users. It can be hosted locally, or used through third-party public instances. The first vulnerability (CVE-2021-34817), found and described by researchers at SonarSource, is an XSS flaw that allows an attacker to take over a user account, including admins, and gain access to the document.

The second flaw (CVE-2021-34816) is an argument injection vulnerability that allows an attacker to execute arbitrary code and system commands to fully compromise the Etherpad instance and its data. This second flaw requires an admin account, which is not a default setting. However, if one exists, the two vulnerabilities can be chained by the attacker to first compromise an admin and then to use the admin privileges to execute arbitrary code on the server.

The XSS flaw exists in the Etherpad chat feature. Messages are stored and available on the server. When a user opens a pad, the chat messages are brought to the front end with HTML elements. During this process, the userId property of a message is inserted into the DOM without properly escaping special characters. An attacker could inject malicious JavaScript into the chat history, which would then be executed. “This enables an attacker,” say the researchers, “to initiate further attack requests in the browser context of the admin.”

The argument injection flaw involves Etherpad’s admin area where admins can manage plugins, edit settings, and view system information. When a new plugin is to be installed, its name is sent to the backend where the corresponding NPM plugin is called and installed. By first hijacking an admin account via the XSS flaw, the attacker can manipulate this process to specify a malicious package from the NPM repository or to simply use a URL that points to a package on the attacker’s server.

The flaws were reported by the SonarSource researchers to Etherpad on April 6, 2021 and confirmed by Etherpad on the same day. The XSS flaw was fixed by April 8, 2021 and released within Etherpad version 1.8.14 on July 4, 2021. The argument injection flaw has not so far been fixed, but is harder to exploit without the XSS flaw.

The researchers believe that the vulnerabilities may have been present within Etherpad since at least version 1.7.0. It is important that all Etherpad users who have not yet updated to version 1.8.14 do so as soon as possible.

Advertisement. Scroll to continue reading.

SonarSource is a code analysis firm headquartered in Geneva, Switzerland. It was founded by Olivier Gaudin (CEO), Freddy Mallet (angel investor), and Simon Brandhof (technical lead) in 2008, and raised $45 million from Insight Venture Partners in 2016. In May 2020 it acquired German startup RIPS Technologies, known for its PHP, Java and JavaScript analyzers.

Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild

Related: Stored XSS Vulnerability on Earned Researcher $5,000

Related: Google Launches Database for Open Source Vulnerabilities

Related: Open Source Security Management Firm WhiteSource Raises $75 Million

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...