Community
Participate
Working Groups
In Theia IDE 0.16.0 there was an XSS vulnerability in notification messages that can lead to data exfiltration from victim's computer. I reported it on Github, see Issue #7283: https://github.com/eclipse-theia/theia/issues/7283 It was quickly fixed, see PR #7289: https://github.com/eclipse-theia/theia/pull/7289 I think it is a critical vulnerability because an attacker can use this vulnerability to easily exfiltrate data from victim's computer, so I don't know if you want create a little advise or CVE for the users. Let's me know! Best regards, Luigi
Thanks for reporting the issue, Luigi. I have confirmed that this indeed looks to be a XSS vulnerability: (https://www.acunetix.com/websitesecurity/cross-site-scripting/) "A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates."
I vote +1 for a CVE. I think we'll probably need to either release a 0.16.2 that has Alex's fix on top of 0.16.1, or hold-on a little bit before further publicising this and then we can propose 1.0.0+ as the version where this vulnerability is fixed. WDYT?
(In reply to Marc Dumais from comment #2) > I vote +1 for a CVE. If you want a CVE, we'll need some information. The handbook describes what a project committer needs to provide so that the EF can create the CVE: https://www.eclipse.org/projects/handbook/#vulnerability-cve
I'm doing a bit of housekeeping. We've long exceeded the three month deadline to disclose, so I've removed the confidentiality flag. I believe that this was addressed in Issue 7283 [1], so I'm marking it as FIXED. [1] https://github.com/eclipse-theia/theia/issues/7283