Paul Maréchal

Name of the Vulnerable Software and Affected Versions: Eclipse Theia versions 0.3.9 through 1.8.1 Description: The issue allows a previewed HTML file to trigger a remote code execution (RCE) in the Eclipse Theia IDE, specifically through the "mini-browser" extension. This exploit occurs when a user previews a malicious HTML file within the IDE's iframe. Recommendations: For Eclipse Theia versions 0.3.9 through 1.8.1, consider disabling the "mini-browser" extension as a temporary workaround to prevent the exploitation of this issue until a patch is available. Restrict access to previewing HTML files within the IDE to minimize the risk of RCE.