Description
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.
Remediation
References
https://github.com/eclipse-theia/theia/issues/8794
Related Vulnerabilities
CVE-2018-11011 Vulnerability in maven package cc.ryanc:halo
CVE-2020-15366 Vulnerability in maven package org.webjars.bowergithub.ajv-validator:ajv
CVE-2020-7754 Vulnerability in npm package npm-user-validate
CVE-2023-4316 Vulnerability in npm package zod
CVE-2013-6348 Vulnerability in maven package org.apache.struts:struts2-config-browser-plugin