![]() “My fundamental complaint with Electron is that relatively basic usage still demands that non-security devs understand the full security properties of their system and scope broker usage appropriately," said an engineering director for Google Chrome in 2020 after an RCE vulnerability in Electron-based desktop Slack app came to light. While Electron is quite useful for making cross-platform apps out of JavaScript, HTML, and CSS, it does need to be secured requiring developers who know what they're doing. Bräunlein said he first tried tipping off the programmers in February, and again and again thereafter, and nothing was done. Pling’s anonymous maintainers, who do not identify themselves on either or sister site, did not respond to an email seeking comment. And as for the webpage-delivered RCE, “exploitation is triggered by visiting a malicious website in any browser, while PlingStore is running in the background.” “When the XSS is triggered inside the Electron app, the payload can establish a connection to the local WebSocket server and send messages to execute arbitrary native code,” wrote Bräunlein. When is a remote-code-execution bug in Teams not an RCE? When Microsoft says it isn't, flaw finder discovers.The patch that wasn't: Cisco emits fresh fixes for NTLM hash-spilling vuln and XSS-RCE combo in Jabber app.ALPACA gnaws through TLS protection to snarf cookies and steal data.Zoll Defibrillator Dashboard would execute contents of random Excel files ordinary users could import.That means accessing a booby-trapped marketplace listing in the app, or surfing to a bad website with PlingStore running in the background, can lead to malware running on your Linux PC via the Pling application, according to Positive. You can complete the translation of Sl en pling given by the German-English Collins dictionary with other dictionaries: Wikipedia, Lexilogos, Langenscheidt, Duden, Wissen, Oxford, Collins dictionaries. ![]() ![]() ![]() An XSS payload delivered from a theme marketplace, or any webpage opened in a browser, can connect to this local server, and use it to tell the software to fetch and run arbitrary malicious code. With Reverso you can find the German translation, definition or synonym for Sl en pling and thousands of other words. When run, the app creates a local WebSocket server that is insecure. RCE-huntingįollowing on from that discovery, Bräunlein realized the PlingStore marketplace application was also vulnerable to the XSS – “and from there, can likely be escalated to RCE when combined with an Electron sandbox bypass.” While KDE patched Discover in March following Bräunlein’s findings, Pling was less proactive. “This stored XSS could be used to modify active listings, or post new listings on the Pling store in the context of other users, resulting in a wormable XSS,” he wrote. Invoking the vuln was straightforward: Bräunlein navigated to KDE Discover's upload page for new creations, and pasted a JavaScript-based XSS payload into one of its fields, wrapped inside an iframe. ![]()
0 Comments
Leave a Reply. |