XSS and Argument Injection Vulnerabilities Discovered in Etherpad Collaboration Tool

37
XSS and Argument Injection Vulnerabilities Discovered in Etherpad Collaboration Tool

Researchers have discovered two new vulnerabilities in Etherpad which could allow for the theft or manipulation of documents in progress, as well as the theft, alteration, or destruction of all data, as well as the targeting of other internal systems accessible via the server.

The first vulnerability, identified and documented by SonarSource researchers as CVE-2021-34817, is an XSS flaw that allows an attacker to take control of a user account, even admins, and obtain access to the document. The second vulnerability, CVE-2021-34816, is an argument injection vulnerability that allows a threat actor to run system commands and arbitrary code on the Etherpad instance and its data.

To Read More: SecurityWeek 

For more such updates follow us on Google News ITsecuritywire News