Researchers have disclosed new security vulnerabilities in Etherpad text editor. The flaws were discovered and reported on June 4 by researchers from SonarSource. One vulnerability resides in the chat feature offered by Etherpad, with the “userId” property of a chat message rendered on the front-end without properly escaping special characters. The other flaw relates to how Etherpad manages plugins, where the name of the package to be installed via the “npm install” command is not adequately sanitized, leading to a scenario that could allow an attacker to “specify a malicious package from the NPM repository”
Source: https://thehackernews.com/2021/07/critical-flaws-reported-in-etherpad.html