CVE-2015-3297

Name of the Vulnerable Software and Affected Versions Etherpad versions 1.1.1 through 1.5.2

Description The issue allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the path parameter of HTTP API requests, such as "/api/*" endpoints.

Recommendations For versions 1.1.1 through 1.5.2, as a temporary workaround, consider restricting access to the Minify.js file in the node/utils directory until a patch is available. Avoid using the path parameter in affected API endpoints until the issue is resolved.