Unescaped HTML in Notification Messages in Eclipse Theia (up to version 0.16.0) Allows for Javascript Code Execution

Unescaped HTML in Notification Messages in Eclipse Theia (up to version 0.16.0) Allows for Javascript Code Execution

CVE-2021-28162 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

Learn more about our Api Penetration Testing.