Several Linux app stores & Pling store apps can be attacked via cross-site scripting

Share your love
      The security researcher Fabian Bräunlein from Positive Security has discovered a previously unfixed cross-site scripting (XSS) vulnerability in Pling-based Linux app stores, which is also said to affect the native Pling-Store application. The vulnerability could be misused to manipulate listings, i.e. apps available for download, in affected stores and, for example, add malicious code to them. According to the researcher, the Pling Store app can also be used to execute any program code remotely (Remote Code Execution, RCE) on Linux systems under certain conditions.

The Pling platform is part of the portal from hive 01 GmbH. It serves as an alternative download source for themes, icons, desktop backgrounds, software and more for Linux. Several well-known app stores, such as the KDE Store on. Positive Security mentions other examples, and The application based on the Electron framework Pling-Store (also “PlingStore”, formerly OCS-Store), on the other hand, is intended to facilitate the installation and management of Pling content and is advertised for this purpose by Pling-based app stores.

According to the changelog on, the Pling Store app was last updated around a year ago as part of a “minor bug fix release”.

(Image: screenshot)

According to a detailed Positive-Security-Blogeintrag the vulnerability can be exploited via one of the input fields available to developers when creating and editing app listings at Pling. The “HTML or Embed media code” field intended for inserting HTML content, the content of which is displayed within the description of the respective app therefore accepts a JavaScript payload without complaint if it is “hidden” behind a preceding iFrame. Since entries in the course of software listings at Pling are permanently stored on the server, such a payload would be executed each time the listing is called up using any browser or the Pling store app (stored XSS).

The upper field allows adding (malicious) JavaScript code.

(Bild: Positive Security)

Bräunlein emphasizes in the blog post that the XSS gap is theoretically “wormable”. An attack scenario in which listings of any developer could be contaminated with malicious code would in theory look as follows: The attacker initially creates his own app entry and “hides” his JavaScript payload, an XSS worm, in the one already mentioned Listing input field. The worm includes code that, as a first step, enables it to hijack the session of the person calling the listing. If this person is a developer, the worm can access their listings in the next step. He then writes his own code in the “HTML or Embed media code” field of the third-party listings in order to be able to distribute himself from there. He could replace the third-party app itself with an almost identical copy with a built-in backdoor.

In this context, Bräunlein also points out that the Pling-based stores would share user accounts and session data. However, he has not published proof of concept code for the worm scenario.

According to Bräunlein, the XSS attacks also work when calling up prepared listings from the Pling Store app. In addition, remote code execution is even possible via XSS via the app. The reason for this are further security flaws in the app, more precisely: in the component ocs-manager as a local websocket server. According to the researcher, the lack of validation and authentication mechanisms ensures that any website can initiate a connection to the Websocket server from any browser and that ocs-manager accepts any transmitted commands. In this way, any AppImage files could be downloaded and executed from the surfaced, prepared website without further user interaction, as long as the Pling Store app is running in the background.

Proof-of-Concept-Code demonstrates this fact; only the installation of a required port brute forcing mechanism has been omitted by Bräunlein. “The WebSocket server (ocs-manager), which is started when PlingStore is launched and accepts commands from any website, looks for a free, local port when it starts. This is hardcoded in the PoC script (…), but can can easily be guessed by programmatic trial and error “, the researcher explained to heise Security.

According to its own information, Bräunlein has tried several times since the end of February 2021 to contact the Pling developers via email, telephone and forum posts. Until now, however, they have neither responded nor eliminated the security gap in their products. yesterday, heise Security also checked with hive 01 GmbH by email yesterday, but has not yet received an answer.

Since the XSS and RCE dangers still exist, Bräunlein advises in the blog entry not to use the Pling Store app for the time being or, at best, to completely remove the vulnerable AppImage from the system. Although exploits in the wild have not yet been observed and publicly available code for a possible XSS worm has not emerged, the researcher also advises you to be aware that basically every listing in Pling-based Linux app stores hijack accounts of logged-in users and hijack malicious code could deliver. It is best to temporarily log out and not use the stores.

Incidentally, the Gnome team, the little brown one, was more responsive than hive 01 XSS vulnerability also described in the blog entry on the Gnome Extensions website ( This was eliminated within 24 hours and has not posed a threat since the end of February.


Read Also   Unister case: ex-manager sentenced to fines
Share your love