Security News > 2021 > June > Unpatched Flaw in Linux Pling Store Apps Could Lead to Supply-Chain Attacks

Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software marketplaces for Linux platform that could be potentially abused to stage supply-chain attacks and achieve remote code execution.

The vulnerability stems from the manner the store's product listings page parses HTML or embedded media fields, thereby potentially allowing an attacker to inject malicious JavaScript code that could result in arbitrary code execution.

"This stored XSS could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS," Bräunlein said.

With the PlingStore app acting as a single digital storefront for all the aforementioned app stores, Positive Security noted that the XSS exploit can be triggered from within the app that, when coupled with a sandbox bypass, could lead to remote code execution.

Not only can the JavaScript code in the website establish a connection to the local WebSocket server that's used to listen to messages from the app, it also uses it to send messages to execute arbitrary native code by downloading and executing an.

The report comes less than a month after severe security weaknesses were uncovered in several popular Visual Studio Code extensions that could enable attackers to compromise local machines as well as build and deployment systems through a developer's integrated development environment, ultimately paving the way for supply-chain attacks.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/pcTU1Yp2gWI/unpatched-critical-flaw-affects-pling.html