5 results (0.004 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). En versiones del componente @theia/plugin-ext de Eclipse Theia anteriores a 1.18.0, el contenido de la Webview puede ser secuestrado por medio de la función postMessage() • https://bugs.eclipse.org/bugs/show_bug.cgi?id=575924 https://github.com/eclipse-theia/theia/pull/10125 • CWE-940: Improper Verification of Source of a Communication Channel •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. En Eclipse Theia versiones 0.1.1 hasta 0.2.0, es posible explotar la build predeterminada para obtener una ejecución de código remota (y XXE) por medio de la extensión theia-xml-extension. Esta extensión utiliza lsp4xml (recientemente renombrado a LemMinX) para proporcionar soporte de lenguaje para XML. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=563174 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. En Eclipse Theia versiones hasta 0.16.0 incluyendo, en los mensajes de notificación no se presenta un escape HTML, por lo que se puede ejecutar el código Javascript • https://github.com/eclipse-theia/theia/issues/7283 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-830: Inclusion of Web Functionality from an Untrusted Source •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. En Eclipse Theia versiones hasta 1.8.0 incluyendo, en la consola de depuración no se presenta un escape HTML, por lo que puede ser inyectado código Javascript arbitrario • https://github.com/eclipse-theia/theia/issues/8794 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 2

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. Eclipse Theia versiones hasta 1.2.0 incluyendo, la Markdown Preview (@theia/preview), puede ser explotado para ejecutar código arbitrario • https://github.com/eclipse-theia/theia/issues/7954 https://omespino.com/write-up-google-bug-bounty-xss-to-cloud-shell-instance-takeover-rce-as-root-5000-usd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •