Description

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.

Remediation

References

https://github.com/eclipse-theia/theia/issues/7954

https://omespino.com/write-up-google-bug-bounty-xss-to-cloud-shell-instance-takeover-rce-as-root-5000-usd/

Related Vulnerabilities

CVE-2023-31579 Vulnerability in maven package top.tangyh.basic:lamp-util

CVE-2021-25913 Vulnerability in npm package set-or-get

CVE-2020-28500 Vulnerability in maven package org.fujion.webjars:lodash

CVE-2022-25857 Vulnerability in maven package org.yaml:snakeyaml

CVE-2023-25572 Vulnerability in maven package org.webjars.npm:react-admin

Severity

Critical

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Tags

Exploit Issue Tracking Third Party Advisory