Security News > 2021 > June > You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities
Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters.
It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk.
The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from pling.com and store.
KDE Discover, he explained, is a typical Linux desktop bling marketplace based on the Pling platform.
Following on from that discovery, Bräunlein realized the PlingStore marketplace application was also vulnerable to the XSS - "And from there, can likely be escalated to RCE when combined with an Electron sandbox bypass."
That means accessing a booby-trapped marketplace listing in the app, or surfing to a bad website with PlingStore running in the background, can lead to malware running on your Linux PC via the Pling application, according to Positive.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/06/24/pling_linux_flaws/
Related news
- CUPS vulnerabilities affecting Linux, Unix systems can lead to RCE (source)
- Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)