Skip to main content

Etherpad

10 CVEs product

Monthly

CVE-2021-43802 HIGH PATCH This Week

Etherpad is a real-time collaborative editor. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Etherpad
NVD GitHub
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-34816 HIGH POC This Week

An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Etherpad
NVD GitHub
CVSS 3.1
7.2
EPSS
2.2%
CVE-2021-34817 MEDIUM POC PATCH This Month

A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Etherpad
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2019-18209 MEDIUM PATCH This Month

templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Etherpad
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2018-9327 HIGH This Week

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Etherpad
NVD
CVSS 3.0
8.1
EPSS
1.6%
CVE-2018-9326 CRITICAL Act Now

Etherpad 1.6.3 before 1.6.4 allows an attacker to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Etherpad
NVD
CVSS 3.0
9.8
EPSS
2.0%
CVE-2018-9325 HIGH This Week

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all the existing pads of an instance without knowledge of pad names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Etherpad
NVD
CVSS 3.0
7.5
EPSS
1.2%
CVE-2018-6835 npm CRITICAL PATCH Act Now

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Etherpad
NVD GitHub
CVSS 3.0
9.8
EPSS
2.3%
CVE-2015-4085 HIGH This Week

Directory traversal vulnerability in node/hooks/express/tests.js in Etherpad frontend tests before 1.6.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Etherpad
NVD GitHub
CVSS 3.0
7.5
EPSS
0.4%
CVE-2015-3297 HIGH This Week

Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.1 through 1.5.2 allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Etherpad
NVD GitHub
CVSS 3.0
7.5
EPSS
3.8%
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Etherpad is a real-time collaborative editor. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Etherpad
NVD GitHub
EPSS 2% CVSS 7.2
HIGH POC This Week

An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Etherpad
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

A Cross-Site Scripting (XSS) issue in the chat component of Etherpad 1.8.13 allows remote attackers to inject arbitrary JavaScript or HTML by importing a crafted pad. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Etherpad
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Etherpad
NVD GitHub
EPSS 2% CVSS 8.1
HIGH This Week

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Etherpad
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Etherpad 1.6.3 before 1.6.4 allows an attacker to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Etherpad
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all the existing pads of an instance without knowledge of pad names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Etherpad
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 mishandles JSONP, which allows remote attackers to bypass intended access restrictions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Etherpad
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Directory traversal vulnerability in node/hooks/express/tests.js in Etherpad frontend tests before 1.6.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Etherpad
NVD GitHub
EPSS 4% CVSS 7.5
HIGH This Week

Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.1 through 1.5.2 allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Etherpad
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy