Cybersecurity specialists reported the detection of at least two vulnerabilities in Etherpad, a popular online text editor. According to the report, the flaws would allow threat actors to attack victims’ servers remotely and extract sensitive information.

In their tests, the experts managed to abuse a cross-site scripting (XSS) flaw to create malicious documents that execute code controlled by an attacker in the context of the target user’s browser.

The second reported flaw was described as an argument injection flaw that could be abused by threat actors with administrative access to execute arbitrary code on the server through the installation of plugins from a URL under the control of the attackers. The vulnerabilities were tracked as CVE-2021-34817 and CVE-2021-34816 respectively.

According to the report, hackers could combine the flaws to completely compromise a server remotely. While the XSS flaw was corrected with the release of Etherpad v1.8.14, the argument injection flaw has not been addressed, although experts note that this flaw is difficult to exploit on its own.

These flaws were reported by researcher Paul Gerste, of the firm SonarSource. In his post, the researcher points out that Etherpad has over 250 plugins available, making it a considerable area of research.

The processor is very popular in the open source community and has around 10 thousand active implementations. According to Gerste, while these security flaws are serious when exploited in a chained manner, there are some factors that significantly mitigate the possibilities of exploitation.

An example of these conditions is that deployments with default settings are vulnerable: “A threat actor will need to import a pad, so if the Etherpad instance is publicly accessible and does not restrict the creation of new pads, it will be prone to this attack variant,” Gerste says. The expert added that hackers could perform a privilege escalation by targeting other users.

The researcher concluded by mentioning that project managers responded quickly to this report and began working to address the issues immediately: “The solution to address the XSS flaw was corrected two days after notifying the developers.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Unpatched zero-day argument injection vulnerability in the open source text editor Etherpad. Don’t open any unknown file appeared first on Information Security Newspaper | Hacking News.

You May Also Like

Panasonic FPWIN Pro PLC programming control software vulnerability affects various industrial devices

Cybersecurity specialists report the discovery of a critical vulnerability in FPWIN Pro,…

New critical vulnerabilities discovered in 2G, 3G, 4G, LTE & 5G networks

Researchers at an Abu Dhabi university revealed details about a set of…

Github releases updated versions of its local client after fixing 2 critical code execution vulnerabilities

GitHub has announced the release of updated versions of its local client…

How the U.S. Census Bureau was hacked via CVE-2019-19781 Citrix vulnerability. One of the most exploited vulnerability over the past two years

A recent report confirms that unidentified threat actors broke into U.S. Census…