Please enter url.
-- MARKDOWN -- - [KDE Discover](#kde-discover) - [Wormable XSS affecting multiple marketplaces](#wormable-xss-affecting-multiple-marketplaces) - [

Linux marketplaces vulnerable to RCE and supply chain attacks

submited by
Style Pass
2021-06-23 13:30:04

-- MARKDOWN -- - [KDE Discover](#kde-discover) - [Wormable XSS affecting multiple marketplaces](#wormable-xss-affecting-multiple-marketplaces) - [PlingStore RCE](#plingstore-rce)     - [RCE by design](#rce-by-design)     - [Exploitation from any browser](#exploitation-from-any-browser)     - [Disclosure](#disclosure) - [Gnome Shell Extensions XSS](#gnome-shell-extensions-xss) - [Conclusion](#conclusion) # KDE Discover

In the beginning of this year, we analyzed how popular desktop applications handle user supplied URIs [and found code execution vulnerabilities in several of them](https://positive.security/blog/url-open-rce). One of the applications I checked was the *KDE Discover* App Store, which did turn out to handle untrusted URIs in an insecure manner (CVE-2021-28117, [KDE Security Advisory](https://kde.org/info/security/advisory-20210310-1.txt)).

A wormable XSS with potential for supply chain attacks on *Pling*-based marketplaces, and a drive-by RCE affecting users of the *PlingStore* application are still exploitable as of 2021-06-22.

Read more positive.sec...
Share :  
Leave a Comment
Related Posts

Deep dive into Visual Studio Code extension security vulnerabilities

Comment

Remote code execution in cdnjs of Cloudflare - RyotaK's Blog

Comment

Groundhog day: NPM package caught stealing browser passwords

Comment

Spike in “Chain Gang” Destructive Attacks on ATMs

Comment

Docker launches new business plan with changes to the Docker Desktop license

Comment

Prepare a Staggering US$1.2 Trillion to Build Semiconductor Supply Chains

Comment

First Workshop on DRAM Security (DRAMSec)

Comment

Taiwan at the crossroads: China-free or China+?

Comment

Amazon Demands One More Thing From Some Vendors: a Piece of Their Company

Comment

HODLCOIN ~ The longer you HODL, the more you earn! A Store of value for the Binance Smart Chain

Comment
Recent Posts

FTC bans noncompete agreements, making it easier for workers to quit. Here's what to know.

Comment

Trolling IBM’s Quantum Processor Advantage With A Commodore 64

Comment

Data Gateway — A Platform for Growing and Protecting the Data Tier

Comment

It Introduced Ozempic to the World. Now It Must Remake Itself.

Comment

Paolo Amoroso's Journal

Comment

Happy JS Naked Day 2024

Comment

COMETARY SCIENCE. Organic compounds on comet 67P/Churyumov-Gerasimenko revealed by COSAC mass spectrometry

Comment

Douglas DC-4 plane crashes into river outside Fairbanks, Alaska; not clear how many people on board

Comment

forgejo/RELEASE-NOTES.md at forgejo - forgejo/forgejo - Codeberg.org

Comment

Timeless order | Nature Physics

Comment

What does Goldman Sachs want in a coder? For them to have studied philosophy

Comment

F.T.C. Issues Ban on Worker Noncompete Clauses

Comment

New analysis reveals the brutal history of the Winchcombe meteorite's journey through space

Comment

Apple is about to drop some new iPads

Comment

Scientists design ultra-efficient energy storage system using pebbles — here's how it works

Comment

Porting a cross-platform GUI application to Rust - Mozilla Hacks - the Web developer blog

Comment

Search code, repositories, users, issues, pull requests...

Comment

Aramaic: The Bible’s third language | TruthOnlyBible

Comment

GPU Compute in the Browser at the Speed of Native: WebGPU Marching Cubes

Comment

Search code, repositories, users, issues, pull requests...

Comment