CVE-2021-28162: Inclusion of Functionality from Untrusted Control Sphere

May 10, 2021

In Eclipse Theia versions up to and including, in the notification messages there is no HTML escaping, so Javascript code can run.

References

github.com/advisories/GHSA-c94v-8fff-73ph
github.com/eclipse-theia/theia/blob/master/CHANGELOG.md
github.com/eclipse-theia/theia/issues/7283
github.com/eclipse-theia/theia/pull/7289
nvd.nist.gov/vuln/detail/CVE-2021-28162

Detect and mitigate CVE-2021-28162 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →