Cross-site Scripting (XSS) - Reflected in tagspaces/viewerText

Reported on May 18th 2021

✍️ Description

viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting.

🕵️‍♂️ Proof of Concept

If any HTML is feeded to setContent function:


It appends it to the dom without any filteration:


💥 Impact

This vulnerability is capable of manipulating DOM and running arbitrary JavaScript. As tagspaces is an electron application and uses this library in its core, I utilized this to gain code execution which is disclosed here