VYPR

Etherpad Lite

by Ether

Source repositories

CVEs (10)

  • CVE-2018-9326CriApr 7, 2018
    risk 0.64cvss 9.8epss 0.02

    Etherpad 1.6.3 before 1.6.4 allows an attacker to execute arbitrary code.

  • CVE-2018-9327HigApr 7, 2018
    risk 0.53cvss 8.1epss 0.02

    Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to execute arbitrary code on the server. The instance has to be configured to use a document database (DirtyDB, CouchDB, MongoDB, or RethinkDB).

  • CVE-2018-9325HigApr 7, 2018
    risk 0.49cvss 7.5epss 0.01

    Etherpad 1.5.x and 1.6.x before 1.6.4 allows an attacker to export all the existing pads of an instance without knowledge of pad names.

  • CVE-2015-2298HigJan 12, 2018
    risk 0.42cvss 7.5epss 0.02

    node/utils/ExportEtherpad.js in Etherpad 1.5.x before 1.5.2 might allow remote attackers to obtain sensitive information by leveraging an improper substring check when exporting a padID.

  • CVE-2015-4085HigSep 7, 2017
    risk 0.42cvss 7.5epss 0.02

    Directory traversal vulnerability in node/hooks/express/tests.js in Etherpad frontend tests before 1.6.1.

  • CVE-2018-9845CriApr 29, 2018
    risk 0.01cvss 9.8epss 0.13

    Etherpad Lite before 1.6.4 is exploitable for admin access.

  • CVE-2021-43802Dec 9, 2021
    risk 0.00cvss epss 0.02

    Etherpad is a real-time collaborative editor. In versions prior to 1.8.16, an attacker can craft an `*.etherpad` file that, when imported, might allow the attacker to gain admin privileges for the Etherpad instance. This, in turn, can be used to install a malicious Etherpad…

  • CVE-2020-22782Apr 28, 2021
    risk 0.00cvss epss 0.01

    Etherpad < 1.8.3 is affected by a denial of service in the import functionality. Upload of binary file to the import endpoint would crash the instance.

  • CVE-2019-18209Oct 19, 2019
    risk 0.00cvss epss 0.01

    templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.

  • CVE-2018-6834MedFeb 8, 2018
    risk 0.00cvss 6.1epss 0.01

    static/js/pad_utils.js in Etherpad Lite before v1.6.3 has XSS via window.location.href.