massCode Code execution (CVE-2020-8548)


A few days back I was looking for a tool to maintain my notes and important code snippets and I came across a tool called massCode

About massCode

massCode is one of the free and open-source code snippet manager tool build with the electron. Sometime back it was in trending on GitHub and also listed on electron website


massCode makrdown editor

You can select different programming languages to render respecting code snippets but my interest was in markdown editor. Here is a quick image of how massCode markdown editor works

2 3

XSS in massCode makrdown editor

Next, As usual, I tried to inject the script tag to see if it gets executed


But nothing happened.


Again i tried to inject <a> tag as shown in below image 6

and luckily it worked this time. easy-peasy


Code execution in massCode

Since massCode is built on electron and we have XSS vulnerability at the same time. I quickly navigate to the source code available on GitHub, and figured out that nodeIntegration flag is set to true.

8 which means we can invoke node API’s. Next I created a simple XSS payload to open a calculator on windows

<a href="javascript:try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">aaaaaaa</a>


This issue has been fixed in latest relase of massCode

Latest news See all news

Webinar, Online


Nikhil Joshi will be delivering a webinar on “How secure are ML applications”.

Webinar, Online


Nikhil Joshi will be delivering a webinar on “Introduction to ML and DL for security”.

Heidelberg, Germany


Nikhil Joshi will be delivering training titled “ML for security and security for ML” at troppers2020