Barak Haryati

**Name of the Vulnerable Software and Affected Versions** Eclipse Theia Website (affected versions not specified) **Description** The GitHub Actions workflow located at `.github/workflows/preview.yml` in the Eclipse Theia Website repository utilized the `pull request target` trigger, which allowed for the execution of untrusted pull request code. This enabled any GitHub user to execute arbitrary code within the repository's CI environment, gaining access to repository secrets and a `GITHUB TOKEN` possessing extensive write permissions, including permissions for contents, packages, pages, and actions. An attacker could potentially exfiltrate sensitive information, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and introduce malicious code into the repository. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.