CVE-2021-34435

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file..
References
Link Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018 Exploit Patch Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:theia:*:*:*:*:*:*:*:*

History

27 Oct 2022, 12:49

Type Values Removed Values Added
CWE CWE-668 CWE-346

10 Sep 2021, 02:05

Type Values Removed Values Added
References (CONFIRM) https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018 - (CONFIRM) https://bugs.eclipse.org/bugs/show_bug.cgi?id=568018 - Exploit, Patch, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 6.8
v3 : 8.8
CPE cpe:2.3:a:eclipse:theia:*:*:*:*:*:*:*:*
CWE CWE-668

01 Sep 2021, 18:29

Type Values Removed Values Added
New CVE

Information

Published : 2021-09-01 18:15

Updated : 2023-12-10 13:55


NVD link : CVE-2021-34435

Mitre link : CVE-2021-34435

CVE.ORG link : CVE-2021-34435


JSON object : View

Products Affected

eclipse

  • theia
CWE
CWE-346

Origin Validation Error

CWE-942

Permissive Cross-domain Policy with Untrusted Domains