CVEs-PoC/2021/CVE-2021-28162.md

### [CVE-2021-28162](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28162)
![](https://img.shields.io/static/v1?label=Product&message=Eclipse%20Theia&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%200.16.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-830%3A%20Inclusion%20of%20Web%20Functionality%20from%20an%20Untrusted%20Source&color=brighgreen)

### Description

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.

### POC

#### Reference
- https://github.com/eclipse-theia/theia/issues/7283

#### Github
- https://github.com/EdgeSecurityTeam/Vulnerability
- https://github.com/SexyBeast233/SecBooks
- https://github.com/tzwlhack/Vulnerability