In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
CVSS Score
6.1
EPSS Score
0.007
Published
2021-11-10
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
CVSS Score
6.1
EPSS Score
0.007
Published
2021-03-12
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
CVSS Score
6.1
EPSS Score
0.008
Published
2021-03-12
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
CVSS Score
9.6
EPSS Score
0.024
Published
2021-02-24