14 DAY TRIAL // Version 1.8.13 of Etherpad seems to contain two vulnerabilities that enable threat actors to steal sensitive documents, hijack administrator accounts and execute system commands, says The Hacker News.
Cybersecurity researchers from SonarSource tracked the two vulnerabilities as CVE-2021-34816 and CVE-2021-34817. A hacker can take advantage of each of these vulnerabilities to hijack an administrative account and from there, gain shell access and install malware on the main server. Etherpad released patches to fix these flaws on the 4th of July.
Paul Gerste, a cybersecurity researcher at SonarSource, explained that hackers use cross-site scripting (XSS) attacks that allows them to gain access to Etherpad users, including admin accounts. Once inside, malicious actors can steal or manipulate victims' data.
He added that "The argument injection vulnerability allows attackers to execute arbitrary code on the server, which would allow [them] to steal, modify or delete all data, or to target other internal systems that are reachable from the server."
Hackers can obtain access to the server and install malware by exploiting these vulnerabilities
Etherpad includes a chat component that facilitates greater cooperation. Team members can communicate with one another in a per-pad group chat, and because the messages are stored on the server, they are accessible to everyone. While a versatile and convenient feature, the downside stems from the XSS vulnerability (CVE-2021-34817) that enables the injection of malicious JavaScript payloads into the chat history.
Another great feature of Etherpad is the ability to install packages via the "npm install" command. The danger with this is that an attacker can install a malicious package from the NPM repository if it is not configured properly.
To avoid being affected by the vulnerability, Etherpad users are strongly advised to update their software to version 1.8.14.