Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software (FOSS) marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution (RCE).
“Linux marketplaces that are based on the Pling platform are vulnerable to a wormable [cross-site scripting] with potential for a supply-chain attack,” Positive Security co-founder Fabian Bräunlein said in a technical write-up published today. “The native PlingStore application is affected by an RCE vulnerability, which can be triggered from any website while the app is running.”
The Pling-based app stores impacted by the flaw include —
PlingStore allows users to search and install Linux software, themes, icons, and other add-ons that may not be available for download through the distribution’s software centre.
images from Hacker News