PT-2021-4175 · Etherpad · Etherpad

Rhansen

Published

2021-04-06

Updated

2021-07-27

CVE-2021-34817

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Etherpad version 1.8.13

Description A Cross-Site Scripting (XSS) issue in the chat component of Etherpad allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. This occurs due to a lack of protection for the web page structure, enabling a remote attacker to execute arbitrary JavaScript or HTML code.

Recommendations For Etherpad version 1.8.13, consider disabling the chat component until a patch is available to prevent the injection of arbitrary JavaScript or HTML code. Restrict access to the chat functionality to minimize the risk of exploitation. Avoid importing crafted pads to the chat component until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-04770

CVE-2021-34817

Affected Products

Etherpad

PT-2021-4175 · Etherpad · Etherpad

CVE-2021-34817

Weakness Enumeration

Related Identifiers

Affected Products

References · 10