Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Etherpad
(Etherpad)| Repositories | https://github.com/ether/etherpad-lite |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-12-09 | CVE-2021-43802 | Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad plugin that can execute arbitrary code (including system commands). To gain privileges, the attacker must be able to trigger deletion of `express-session` state or wait for old `express-session` state to be cleaned up.... | Etherpad | 8.8 | ||
| 2021-07-21 | CVE-2021-34816 | An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source. | Etherpad | 7.2 | ||
| 2021-07-19 | CVE-2021-34817 | A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. | Etherpad | 6.1 | ||
| 2021-04-28 | CVE-2020-22783 | Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported by Etherpad. | Etherpad | 6.5 | ||
| 2021-04-28 | CVE-2020-22781 | In Etherpad < 1.8.3, a specially crafted URI would raise an unhandled exception in the cache mechanism and cause a denial of service (crash the instance). | Etherpad | 7.5 | ||
| 2021-04-28 | CVE-2020-22785 | Etherpad < 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check. | Etherpad | 7.5 | ||
| 2021-04-28 | CVE-2020-22782 | Etherpad < 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance. | Etherpad | 7.5 | ||
| 2020-02-13 | CVE-2015-3309 | Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.2 through 1.5.4 allows remote attackers to read arbitrary files with permissions of the user running the service via a .. (dot dot) in the path parameter of HTTP API requests. NOTE: This vulnerability is due to an incomplete fix to CVE-2015-3297. | Etherpad | N/A | ||
| 2019-10-19 | CVE-2019-18209 | templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer. | Etherpad | N/A | ||
| 2018-02-08 | CVE-2018-6835 | node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions. | Etherpad | 9.8 |