Cybersecurity researchers have disclosed a critical unpatched vulnerability affecting Pling-based free and open-source software marketplaces for Linux platform. The vulnerability stems from the manner the store’s product listings page parses HTML or embedded media fields, thereby potentially allowing an attacker to inject malicious JavaScript code that could result in arbitrary code execution. A similar XSS flaw uncovered in the GNOME Shell Extensions marketplace could be leveraged to target the victim’s computer by issuing malicious commands to the Gnome Shell Integration browser extension and even backdoor published extensions.
Source: https://thehackernews.com/2021/06/unpatched-critical-flaw-affects-pling.html