Theia Eclipse Theia

Do you want an email whenever new security vulnerabilities are reported in Eclipse Theia?

By the Year

In 2024 there have been 0 vulnerabilities in Eclipse Theia . Theia did not have any published security vulnerabilities last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 0 0.00
2022 0 0.00
2021 6 7.75
2020 1 8.10
2019 0 0.00
2018 0 0.00

It may take a day or so for new Theia vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Eclipse Theia Security Vulnerabilities

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked

CVE-2021-41038 6.1 - Medium - November 10, 2021

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE)

CVE-2021-34436 9.8 - Critical - September 02, 2021

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.

Directory traversal

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE

CVE-2021-34435 8.8 - High - September 01, 2021

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file..

Origin Validation Error

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code

CVE-2021-28161 6.1 - Medium - March 12, 2021

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

XSS

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code

CVE-2021-28162 6.1 - Medium - March 12, 2021

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

Inclusion of Functionality from Untrusted Control Sphere

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview)

CVE-2020-27224 9.6 - Critical - February 24, 2021

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.

XSS

In Eclipse Theia versions 0.3.9 through 0.15.0

CVE-2019-17636 8.1 - High - March 10, 2020

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.

Insufficient Verification of Data Authenticity

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Eclipse Theia or by Eclipse? Click the Watch button to subscribe.

Eclipse
Vendor

Eclipse Theia
Product

subscribe