Security Experts:

Connect with us

Hi, what are you looking for?



Researcher Finds Vulnerability Impacting Multiple Linux Marketplaces

Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

Linux marketplaces that are based on the Pling platform are impacted by a cross-site scripting (XSS) vulnerability and potentially exposed to supply chain attacks, according to German cybersecurity consultancy Positive Security.

Pling allows for the creation of free and open-source software (FOSS) marketplaces that are used for the distribution of software, themes, and other content that might not be available through other distribution channels.

Positive Security co-founder Fabian Bräunlein discovered that all Pling-based marketplaces are impacted by a wormable XSS that potentially opens the door for supply chain attacks.

The XSS flaw, the researcher explains, could be used to modify listings or add new ones to the Pling store, in the context of other users. This could be abused in a supply chain attack in which the adversary uploads a backdoored version of an application and changes the metadata of the victim’s listings to include the malicious payload.

The issue was initially discovered in the KDE Discover marketplace, but also impacts Pling-based FOSS app stores such as,,,, and even itself.

Additionally, the researcher discovered that the native PlingStore app, which is an Electron application, is affected by a remote code execution vulnerability that can be triggered from any browser. The app was designed to display websites and enable users to install software with a single click.

The PlingStore app includes a mechanism to run code on the OS level and that mechanism allows any website to run arbitrary code, the researcher explains.

The issue resides with a local WebSocket server (ocs-manager) that the PlingStore app launches when started, and which listens for commands from the Electron app to perform various actions. According to Bräunlein, an attacker can combine three function calls to execute arbitrary native code when triggering the aforementioned XSS within the app.

“Browsers do not implement the Same-origin policy for WebSocket connections. Therefore, it’s important to validate the origin server-side or implement additional authentication over the WebSocket connection. With ocs-manager, this is not the case, which means that any website in any browser can initiate a connection to the WebSocket server, and ocs-manager will happily accept any commands sent,” the researcher notes.

As long as PlingStore runs in the background, the vulnerability can be triggered from any malicious website visited in the browser.

Bräunlein says he attempted to contact Pling to responsibly disclose the vulnerability, but received no response. However, he did manage to contact KDE Discover and Gnome Shell Extensions developers, which were quick to address the issue.

Related: Researcher Claims Apple Downplayed Severity of iCloud Account Takeover Vulnerability

Related: NTLM Relay Attack Abuses Windows RPC Protocol Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet