Vulnerability in Store.kde.org and OpenDesktop catalogs

In the application directories built on the basis of the Pling platform, detected Vulnerability to make the XSS attack to execute JavaScript -Code in the context of other users. The problems are subject to such sites like Store.kde.org, AppimageHub.com, gnome-look.org, xfce-look.org and pling.com.

The essence of the problem is that the PLING platform allows you to add multimedia blocks in HTML format, for example, to insert the video with YouTube or image. The code added via the form is not verified properly, which allows you to add the code code under the type of view. ”
” and place information in the catalog When viewing which the JavaScript code will be launched. If the information is open to users with an account, you can initiate the execution in the Action Catalog on behalf of this user, including adding a JavaScript call to its pages, implementing the semblance of a network worm.

In addition, a vulnerability was revealed in the Plingstore written using the Electron platform and allowing you to navigate OpenDesktop catalogs without browser and install packages presented there. Vulnerability in Plingstore allows you to execute your code in the user system. During the application
PLINGSTORE Further runs the OCS-Manager process, receiving local connections via WebSocket and executing commands, such as downloading and running applications in Appimage format. It is understood that the commands send the Plingstore application, but in fact, due to the lack of authentication, the request to the OCS-Manager can be sent from the user’s browser. In case of opening a malware user, it can initiate a connection with OCS-Manager and make the execution of the code on the user system.

It is also reported about XSS-Empty in the Extensions.gnome.org directory – in the field with a home page URL, you can specify the JavaScript code in the “JavaScript: code” form and when you click on the link instead of opening the project site, the specified JavaScript will be launched . On the one hand, the problem is more speculative, as the placement in the Extensions.gnome.org directory passes premocodulation and not only the opening of a particular page is required for the attack, but also a clear click on the link. On the other hand, it is possible that during checking the moderator wishes to go to the project site, do not pay attention to the link form and launch JavaScript code in the context of your account.

/Media reports.