Security News > 2021 > June > You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities

You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities
2021-06-24 22:00

Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters.

It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk.

The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.

KDE Discover, he explained, is a typical Linux desktop bling marketplace based on the Pling platform.

Following on from that discovery, Bräunlein realized the PlingStore marketplace application was also vulnerable to the XSS - "And from there, can likely be escalated to RCE when combined with an Electron sandbox bypass."

That means accessing a booby-trapped marketplace listing in the app, or surfing to a bad website with PlingStore running in the background, can lead to malware running on your Linux PC via the Pling application, according to Positive.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/06/24/pling_linux_flaws/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232