mobsf 4.4.0 vulnerabilities

Known vulnerabilities in the mobsf package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Directory Traversal mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Directory Traversal via the `ar_extract` function in theshared_func.py` file. An attacker can overwrite arbitrary files on the server by uploading a specially crafted archive containing absolute file paths, leading to potential data loss, application malfunction, or compromise of application integrity. How to fix Directory Traversal? Upgrade `mobsf` to version 4.4.2 or higher.	[4.4.0,4.4.2)
M Improper Handling of Highly Compressed Data (Data Amplification) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) through the ZIP file upload functionality. An attacker can exhaust the server's disk space, leading to a complete denial of service for MobSF and potentially other applications or websites hosted on the same server by crafting a specially prepared ZIP file that expands significantly upon extraction. How to fix Improper Handling of Highly Compressed Data (Data Amplification)? Upgrade `mobsf` to version 4.4.2 or higher.	[0,4.4.2)
M Cross-site Scripting (XSS) mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied SVG files during the Android APK analysis workflow. An attacker can execute arbitrary scripts in the context of the MobSF user session by uploading a malicious SVG file as an app icon and accessing the publicly available URL. How to fix Cross-site Scripting (XSS)? Upgrade `mobsf` to version 4.4.2 or higher.	[0,4.4.2)
H Insecure Permissions mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Insecure Permissions due to missing access restrictions. An attacker can append `/recent_scans/` to the URL after the homepage and gain access to APK or IPA reports, potentially leading to sensitive information disclosure. How to fix Insecure Permissions? There is no fixed version for `mobsf`.	[0,)

Vulnerability

Vulnerable Version

Directory Traversal

mobsf is a Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Affected versions of this package are vulnerable to Directory Traversal via the ar_extract function in theshared_func.py` file. An attacker can overwrite arbitrary files on the server by uploading a specially crafted archive containing absolute file paths, leading to potential data loss, application malfunction, or compromise of application integrity.

How to fix Directory Traversal?

Upgrade mobsf to version 4.4.2 or higher.

[4.4.0,4.4.2)

Improper Handling of Highly Compressed Data (Data Amplification)

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) through the ZIP file upload functionality. An attacker can exhaust the server's disk space, leading to a complete denial of service for MobSF and potentially other applications or websites hosted on the same server by crafting a specially prepared ZIP file that expands significantly upon extraction.

How to fix Improper Handling of Highly Compressed Data (Data Amplification)?

Upgrade mobsf to version 4.4.2 or higher.

[0,4.4.2)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied SVG files during the Android APK analysis workflow. An attacker can execute arbitrary scripts in the context of the MobSF user session by uploading a malicious SVG file as an app icon and accessing the publicly available URL.

How to fix Cross-site Scripting (XSS)?

Upgrade mobsf to version 4.4.2 or higher.

[0,4.4.2)

Insecure Permissions

Affected versions of this package are vulnerable to Insecure Permissions due to missing access restrictions. An attacker can append /recent_scans/ to the URL after the homepage and gain access to APK or IPA reports, potentially leading to sensitive information disclosure.

How to fix Insecure Permissions?

There is no fixed version for mobsf.

[0,)

mobsf@4.4.0 vulnerabilities

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?