Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWN3ZzktYzljci1wNWZx

Improper Neutralization of Input in Theia console

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

Permalink: https://github.com/advisories/GHSA-cwg9-c9cr-p5fq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWN3ZzktYzljci1wNWZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-cwg9-c9cr-p5fq, CVE-2021-28161
References: Repository: https://github.com/eclipse-theia/theia
Blast Radius: 13.9

Affected Packages

npm:@theia/console
Dependent packages: 9
Dependent repositories: 187
Downloads: 27,857 last month
Affected Version Ranges: < 1.8.1
Fixed in: 1.8.1
All affected versions: 0.3.16, 0.3.17, 0.3.18, 0.3.19, 0.4.0, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0
All unaffected versions: 1.8.1, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.36.0, 1.37.0, 1.37.1, 1.37.2, 1.38.0, 1.39.0, 1.40.0, 1.40.1, 1.41.0, 1.42.0, 1.42.1, 1.43.0, 1.43.1, 1.44.0, 1.45.0, 1.45.1, 1.46.0, 1.46.1, 1.47.0, 1.47.1, 1.48.0, 1.48.2, 1.48.3, 1.49.0, 1.49.1, 1.50.0, 1.50.1, 1.51.0