CVE-2021-28162: Inclusion of Functionality from Untrusted Control Sphere

March 12, 2021 (updated March 18, 2021)

In Eclipse Theia versions up to and including, in the notification messages there is no HTML escaping, so Javascript code can run.

References

github.com/eclipse-theia/theia/issues/7283
nvd.nist.gov/vuln/detail/CVE-2021-28162

Code Behaviors & Features

Detect and mitigate CVE-2021-28162 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →