TLDR; Site admins should Update ASAP to 1.6.4 due to several security enhancements.

Today we released Etherpad 1.6.4.

This release fixes several security vulnerabilities in recent versions:

One is an arbitrary code execution vulnerability in version 1.6.3.

Another is an arbitrary code execution vulnerability which is present in all versions from 1.5.0 on, but only exploitable on sites that store pads in DirtyDB, CouchDB, MongoDB, or RethinkDB.

A third allows attackers to export any pad without knowing its name (as normally required) in all versions from 1.5.0 on.

The Etherpad Leadership Team recommends that administrators upgrade to 1.6.4 as soon as possible to mitigate these issues.

“Etherpad is key to a number of organization that promote collaboration, freedom and transparency and as such we are proud to provide infrastructure for these values,”

said John McLear, Etherpad’s chief maintainer.

“In a world that is becoming more fragmented, we’re very keen to promote global collaboration and are dedicated to improving the security of Etherpad.”

About Etherpad

Etherpad is a highly customizable free software editor for collaborative editing online. Used to support collaboration across many important initiatives across the Internet, Etherpad is critical web infrastructure. Etherpad is widely used by individuals and groups who want to collaborate effectively using decentralized trusted free software.

Etherpad is a member project of Software Freedom Conservancy

The Etherpad foundation would like to thank Synacktiv for responsibly disclosing these vulnerabilities.