Description
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
Recommendation
Update the @theia/console package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.8.1
- Patched version(s): 1.8.1
References
Related Issues
- Improper Neutralization of Input During Web Page Generation in swagger-ui - CVE-2016-1000229
- Improper Neutralization of Input During Web Page Generation in Select2 - CVE-2016-10744
- Materialize-css vulnerable to Improper Neutralization of Input During Web Page Generation (GHSA-rg3q-jxmp-pvjj) - CVE-2019-11004
- Improper Input Validation in sanitize-html - CVE-2021-26539
- Tags:
- npm
- @theia/console
Anything's wrong? Let us know Last updated on February 01, 2023