Etherpad is one of the most popular online text editors that allows collaborating on documents in real-time and customizable with more than 250 plugins available and features a version history as well as chat functionality. There are thousands of instances deployed worldwide with millions of users. The project is very popular within the open-source community as shown by the over 10,000 stars on GitHub. Etherpad instances are often publicly usable and can contain sensitive information.
Etherpadcode has 2 critical vulnerabilities. Both can be combined by an attacker to completely take over an Etherpad instance and its data. In this blog post, we cover the technical details of these code vulnerabilities, show how they were patched, and give advice on how to avoid these types of bugs during development.
Two injection vulnerabilities were found in Etherpad 1.8.13 that have been present since at least version 1.7.0:
- Cross-Site Scripting (XSS): CVE-2021-34817
- Argument Injection: CVE-2021-34816
The XSS vulnerability allows attackers to take over Etherpad users, including admins. This can be used to steal or manipulate sensitive data. The Argument Injection vulnerability allows attackers to execute arbitrary code on the server, which would allow them to steal, modify or delete all data, or to target other internal systems that are reachable from the server.
Exploiting the XSS vulnerability is possible on any Etherpad instance with a default configuration. The Argument Injection vulnerability requires an admin account to exist, which is not a default setting. Both vulnerabilities can be combined by an attacker to first compromise an admin and then to use these privileges to execute arbitrary code on the server.
A fix for the XSS vulnerability is implemented in Etherpad version 1.8.14. The Argument Injection vulnerability is still unpatched, but it is significantly harder to exploit on its own.