Improper Verification of Communication Channel in @theia/plugin-ext

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

Cross-site Scripting (XSS)

@theia/plugin-ext is vulnerable to cross-site scripting. An attacker is able to exploit the vulnerability by injecting malicious script into the system via the hostMessaging function. The vulnerability exists due to the lack of origin or parent check...

Prototype Pollution

@theia/plugin-ext is vulnerable to prototype pollution. The function mergeContents allows an attacker to get control of value of “path” and modify attributes such as proto, constructor and prototype. An attacker is able to supply a malicious object that causes the function to overwrite properties...

@eclipse-che/theia-terminal (>=0.0.1-1552991237 <=0.0.1-1566494904), @theia/cpp (>=0.4.0-next.0ce38188 <=0.4.0-next.fc6e8217) +7 more potentially affected by CVE-2019-0542 via xterm (=3.9.1)

xterm NPM version =3.9.1 is affected by a known vulnerability. The following packages have a transitive dependency on xterm and may be impacted: - @eclipse-che/theia-terminal =0.0.1-1552991237, =0.4.0-next.0ce38188, =0.4.0-next.0ce38188, =0.4.0-next.0ce38188, =0.4.0-next.0ce38188,...