Command Injection in @theia/messages

Description

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

Recommendation

Update the @theia/messages package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.0.0
• Patched version(s): 1.0.0

References

• GHSA-c94v-8fff-73ph
• CVE-2021-28162
• CWE-829
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A8

Related Issues

• Command Injection Vulnerability - CVE-2021-21315
• Command Injection in lodash - lodash-es - CVE-2021-23337
• json-logic-js Command Injection vulnerability - CVE-2021-4329
• Command Injection Vulnerability in systeminformation - CVE-2021-21388

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

@theia/messages