In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
CVSS Score
6.1
EPSS Score
0.003
Published
2021-11-10
In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.
CVSS Score
9.8
EPSS Score
0.035
Published
2021-09-02
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-03-12
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-03-12
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
CVSS Score
9.6
EPSS Score
0.005
Published
2021-02-24