Unpatched zero-day argument injection vulnerability in the open source text editor Etherpad. Don’t open any unknown file

Cybersecurity specialists reported the detection of at least two vulnerabilities in Etherpad, a popular online text editor. According to the report, the flaws would allow threat actors to attack victims’ servers remotely and extract sensitive information.

In their tests, the experts managed to abuse a cross-site scripting (XSS) flaw to create malicious documents that execute code controlled by an attacker in the context of the target user’s browser.

The second reported flaw was described as an argument injection flaw that could be abused by threat actors with administrative access to execute arbitrary code on the server through the installation of plugins from a URL under the control of the attackers. The vulnerabilities were tracked as CVE-2021-34817 and CVE-2021-34816 respectively.

According to the report, hackers could combine the flaws to completely compromise a server remotely. While the XSS flaw was corrected with the release of Etherpad v1.8.14, the argument injection flaw has not been addressed, although experts note that this flaw is difficult to exploit on its own.

These flaws were reported by researcher Paul Gerste, of the firm SonarSource. In his post, the researcher points out that Etherpad has over 250 plugins available, making it a considerable area of research.

The processor is very popular in the open source community and has around 10 thousand active implementations. According to Gerste, while these security flaws are serious when exploited in a chained manner, there are some factors that significantly mitigate the possibilities of exploitation.

An example of these conditions is that deployments with default settings are vulnerable: “A threat actor will need to import a pad, so if the Etherpad instance is publicly accessible and does not restrict the creation of new pads, it will be prone to this attack variant,” Gerste says. The expert added that hackers could perform a privilege escalation by targeting other users.

The researcher concluded by mentioning that project managers responded quickly to this report and began working to address the issues immediately: “The solution to address the XSS flaw was corrected two days after notifying the developers.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.