GMS-2020-714: Unauthenticated Remote Command Injection in ep_imageconvert

August 31, 2020 (updated September 23, 2021)

ep_imageconvert is a plugin for Etherpad Lite. ep_imageconvert <= 0.0.2 is vulnerable to remote command injection.

Authentication is not required for remote exploitation.

Recommendation

Update to version 0.0.3 or greater.

References

github.com/advisories/GHSA-28gr-86hg-r48w
github.com/redhog/ep_imageconvert/pull/5
nvd.nist.gov/vuln/detail/CVE-2013-3364
snyk.io/vuln/npm:ep_imageconvert:20130506
www.npmjs.com/advisories/7

Detect and mitigate GMS-2020-714 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →