Zero-day vulnerabilities in Pling leave Linux marketplaces open to RCE, supply chain attacks

Security researchers have reported an unpatched critical vulnerability in the FOSS (Free and Open-Source Software) Pling-based application stores for Linux.

The vulnerability allows attackers to remotely execute code and can potentially be used for attacks on the supply chain.

“Pling’s Linux app stores are vulnerable to cross-site scripting worms and can potentially be used in supply chain attacks. The native PlingStore application is vulnerable to remote code execution, which can be carried out from any site while the application is running, ” explained Fabian Bräunlein, co-founder of Positive Security.

The vulnerability affects the following app stores:

  • appimagehub.com;
  • store.kde.org;
  • gnome-look.org;
  • xfce-look.org;
  • pling.com.

PlingStore allows users to find and install Linux software, themes, icons and extensions that cannot be downloaded from the distribution’s software centre.

The vulnerability relates to the way the store listing page parses HTML or embedded media fields, potentially allowing an attacker to inject malicious JavaScript that could lead to arbitrary code execution.

Catch up on more articles here

Follow us on Twitter here

Popular

Must read

MORE ON THIS TOPIC:

Related Posts