Known Vulnerabilities
CVE-2021-34435
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file..
UNKNOWN
Published Sep 01, 2021
CVE-2021-28162
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
UNKNOWN
Published Mar 12, 2021
CVE-2021-28161
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
UNKNOWN
Published Mar 12, 2021
CVE-2020-27224
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
UNKNOWN
Published Feb 24, 2021