Security News > 2021 > June > Researcher Finds Vulnerability Impacting Multiple Linux Marketplaces
Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.
Positive Security co-founder Fabian Bräunlein discovered that all Pling-based marketplaces are impacted by a wormable XSS that potentially opens the door for supply chain attacks.
The researcher discovered that the native PlingStore app, which is an Electron application, is affected by a remote code execution vulnerability that can be triggered from any browser.
The PlingStore app includes a mechanism to run code on the OS level and that mechanism allows any website to run arbitrary code, the researcher explains.
"Browsers do not implement the Same-origin policy for WebSocket connections. Therefore, it's important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent," the researcher notes.
As long as PlingStore runs in the background, the vulnerability can be triggered from any malicious website visited in the browser.