eclipse-theia/theia on GitHub
Eclipse Theia is a cloud & desktop IDE framework implemented in TypeScript.
CVE History
| CVE | Published | CVSS v2 | CVSS v3 |
|---|---|---|---|
| CVE-2021-41038 | 6.1 MEDIUM | 4.3 MEDIUM | |
| In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | |||
| CVE-2021-28161 | 6.1 MEDIUM | 4.3 MEDIUM | |
| In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. | |||
| CVE-2021-28162 | 6.1 MEDIUM | 4.3 MEDIUM | |
| In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. | |||
| CVE-2020-27224 | 9.6 CRITICAL | 9.3 HIGH | |
| In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. | |||