Eclipse Theia
Approved changes feed: RSS · Atom
cpe:2.3:a:the_eclipse_foundation:eclipse_theia:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | The Eclipse Foundation (bb2d55d2-5306-5bc8-beb2-981f5d5392e4) |
|---|---|
| Product | Eclipse Theia (7743629f-0c6d-5359-b944-9bf0794eebbb) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2021-34436 |
vulnerable | 2026-06-03 14:44:45.036572 |
Details available
In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default.
Published: 2021-09-02T20:55:10.000Z
Updated: 2024-08-04T00:12:50.189Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-34435 |
vulnerable | 2026-06-03 14:44:45.035585 |
Details available
In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file..
Published: 2021-09-01T17:20:09.000Z
Updated: 2024-08-04T00:12:50.149Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-28162 |
vulnerable | 2026-06-03 14:44:17.303632 |
Details available
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
Published: 2021-03-12T21:40:15.000Z
Updated: 2024-08-03T21:40:12.087Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-28161 |
vulnerable | 2026-06-03 14:44:17.302673 |
Details available
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
Published: 2021-03-12T21:40:14.000Z
Updated: 2024-08-03T21:40:12.191Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-27224 |
vulnerable | 2026-06-03 14:42:17.869951 |
Details available
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
Published: 2021-02-24T16:40:24.000Z
Updated: 2024-08-04T16:11:36.023Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-17636 |
vulnerable | 2026-06-03 14:39:56.694061 |
Details available
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Published: 2020-03-10T14:30:14.000Z
Updated: 2024-08-05T01:47:13.536Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.