Select Page

Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE).

“Linux marketplaces that are based on the Pling platform are vulnerable to a wormable [cross-site scripting] with potential for a supply-chain attack,” Positive Security co-founder Fabian Bräunlein said in a technical write-up published today. “The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running.”

The Pling-based app stores impacted by the flaw include —

  • appimagehub.com
  • store.kde.org
  • gnome-look.org
  • xfce-look.org
  • pling.com

PlingStore allows users to search and install Linux software, themes, icons, and other add-ons that may not be available for download through the distribution’s software centre.

images from Hacker News