Etherpad 1.6.3 privileges management

Summaryinfo

A vulnerability has been found in Etherpad 1.6.3 and classified as critical. This affects an unknown part. This manipulation causes privileges management. The identification of this vulnerability is CVE-2018-9326. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Etherpad 1.6.3. It has been declared as critical. Affected by this vulnerability is an unknown part. The manipulation with an unknown input leads to a privileges management vulnerability. The CWE definition for the vulnerability is CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Etherpad 1.6.3 before 1.6.4 allows an attacker to execute arbitrary code.

The bug was discovered 04/07/2018. The weakness was shared 04/07/2018 (Website). The advisory is shared at blog.etherpad.org. This vulnerability is known as CVE-2018-9326 since 04/05/2018. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 1.6.4 eliminates this vulnerability.

The entries VDB-115908 and VDB-115910 are related to this item. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Etherpad

Version

• 1.6.3

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion