Unpatched Cloud9 XSS and potential remote code execution vulnerability

While coding with the awesome Cloud9 IDE, I found an interesting cross site scripting vulnerability in C9. Within editors.js, there exists a DOM-based cross site scripting vulnerability and potential remote code execution.

XSS

The vulnerable code flow starts on line 881. Then the malicious entity is passed through loadFileFromHash's function (line 994. Returns on line 1031.) Then the malicious entity is passed to DOM on line 883.

 

RCE

Since C9 runs on Node.js, there exists a possibility of the XSS becoming remote code execution.   But I do not see the obvious code flow path to have the XSS interpreted by Node.js.  It is plausible though.  

 

Source:  

https://github.com/ajaxorg/cloud9.git