CVE-2015-3309

Name of the Vulnerable Software and Affected Versions: Etherpad versions 1.1.2 through 1.5.4

Description: A directory traversal issue allows remote attackers to read arbitrary files with the permissions of the user running the service. This is achieved by including a .. (dot dot) in the path parameter of HTTP API requests.

Recommendations: For versions 1.1.2 through 1.5.4, as a temporary workaround, consider restricting access to the Minify.js file in the node/utils directory until a patch is available. Avoid using the path parameter in affected HTTP API requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.