Description
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
Recommendation
Update the @theia/plugin-ext package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.18.0
- Patched version(s): 1.18.0
References
Related Issues
- Improper Neutralization of Input in Theia console - CVE-2021-28161
- Improper Verification of Cryptographic Signature - CVE-2021-32685
- Improper Input Validation in sanitize-html (GHSA-mjxr-4v3x-q3m4) - CVE-2021-26540
- Insufficient Verification of Data Authenticity in Eclipse Theia - CVE-2019-17636
- Tags:
- npm
- @theia/plugin-ext
Anything's wrong? Let us know Last updated on February 01, 2023