24 June 21, 12:02
Quote:An unpatched stored cross-site-scripting (XSS) security vulnerability affecting Linux marketplaces could allow unchecked, wormable supply-chain attacks, researchers have found.
The bug was found to affect Pling-based markets by researchers at Positive Security, including AppImage Hub, Gnome-Look, KDE Discover App Store, Pling.com and XFCE-Look.
To boot, the PlingStore application is affected by an unpatched remote code-execution (RCE) vulnerability, which researchers said can be triggered from any website while the app is running – allowing for drive-by attacks.
PlingStore is an installer and content-management application that acts as a consolidated digital storefront for the various aforementioned sites that offer Linux software and plugins. It allows users to download, install and apply desktop themes, icon themes, wallpapers, mouse cursors and so on directly using the “Install” button.
The Pling team could not be reached, according to Fabian Bräunlein with Positive Security, writing in a blog post on Tuesday – “which is why we have decided to publish these unpatched vulnerabilities in order to warn users,” he said.
Read more: Unpatched Linux Marketplace Bugs Allow Wormable Attacks, Drive-By RCE | Threatpost