massCode Code execution (CVE-2020-8548)


A few days back I was looking for a tool to maintain my notes and important code snippets and I came across a tool called massCode

About massCode

massCode is one of the free and open-source code snippet manager tool build with the electron. Sometime back it was in trending on GitHub and also listed on electron website


massCode makrdown editor

You can select different programming languages to render respecting code snippets but my interest was in markdown editor. Here is a quick image of how massCode markdown editor works

2 3

XSS in massCode makrdown editor

Next, As usual, I tried to inject the script tag to see if it gets executed


But nothing happened.


Again i tried to inject <a> tag as shown in below image 6

and luckily it worked this time. easy-peasy


Code execution in massCode

Since massCode is built on electron and we have XSS vulnerability at the same time. I quickly navigate to the source code available on GitHub, and figured out that nodeIntegration flag is set to true.

8 which means we can invoke node API’s. Next I created a simple XSS payload to open a calculator on windows

<a href="javascript:try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">aaaaaaa</a>


This issue has been fixed in latest relase of massCode

Get to know more about our process, methodology & team!

Close the overlay

I am looking for
Please click one!

Latest news See all news

Webinar, Online


Munawwar will give security professionals a comprehensive understanding of the ARM Architecture, reversing ARM binaries, exploiting vulnerabilities and the nuances of ARM shellcoding.

Webinar, Online


Arun Magesh will be delivering a webinar on <em>Introduction to IoT Reversing Firmware</em> and discussing how to get started with IoT pentesting with hands-on.

Workshop, Online


Ashfaq Ansari is conducting a workshop to get you started with kernel vulnerability analysis and exploitation in the Android platform.