CVE-2021-28161 – @theia/console

Package

Manager: npm
Name: @theia/console
Vulnerable Version: >=0 <1.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00201 pctl0.42369

Details

Improper Neutralization of Input in Theia console In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

Metadata

Created: 2021-04-13T15:18:53Z
Modified: 2021-03-26T23:20:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-cwg9-c9cr-p5fq/GHSA-cwg9-c9cr-p5fq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-cwg9-c9cr-p5fq
Finding: F008
Auto approve: 1