Etherpad · Etherpad · CVE-2015-3297
**Name of the Vulnerable Software and Affected Versions**
Etherpad versions 1.1.1 through 1.5.2
**Description**
The issue allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the `path` parameter of HTTP API requests, such as "/api/*" endpoints.
**Recommendations**
For versions 1.1.1 through 1.5.2, as a temporary workaround, consider restricting access to the `Minify.js` file in the `node/utils` directory until a patch is available. Avoid using the `path` parameter in affected API endpoints until the issue is resolved.