XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool
Researchers discovered two vulnerabilities in Etherpad, an open-source collaborative real-time editor that allows multiple authors to simultaneously edit a text document. The vulnerabilities can lead to theft or manipulation of documents being edited; and to theft, modification or deletion of all data, and to targeting other internal systems that are reachable from the server.
Etherpad has thousands of deployments worldwide, and millions of users. It can be hosted locally, or used through third-party public instances. The first vulnerability (CVE-2021-34817), found and described by researchers at SonarSource, is an XSS flaw that allows an attacker to take over a user account, including admins, and gain access to the document.
The second flaw (CVE-2021-34816) is an argument injection vulnerability that allows an attacker to execute arbitrary code and system commands to fully compromise the Etherpad instance and its data. This second flaw requires an admin account, which is not a default setting. However, if one exists, the two vulnerabilities can be chained by the attacker to first compromise an admin and then to use the admin privileges to execute arbitrary code on the server.
The argument injection flaw involves Etherpad’s admin area where admins can manage plugins, edit settings, and view system information. When a new plugin is to be installed, its name is sent to the backend where the corresponding NPM plugin is called and installed. By first hijacking an admin account via the XSS flaw, the attacker can manipulate this process to specify a malicious package from the NPM repository or to simply use a URL that points to a package on the attacker’s server.
The flaws were reported by the SonarSource researchers to Etherpad on April 6, 2021 and confirmed by Etherpad on the same day. The XSS flaw was fixed by April 8, 2021 and released within Etherpad version 1.8.14 on July 4, 2021. The argument injection flaw has not so far been fixed, but is harder to exploit without the XSS flaw.
The researchers believe that the vulnerabilities may have been present within Etherpad since at least version 1.7.0. It is important that all Etherpad users who have not yet updated to version 1.8.14 do so as soon as possible.