CVE-2024-41955 – mobsf

Package

Manager: pip
Name: mobsf
Vulnerable Version: >=0 <4.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.11321 pctl0.9328

Details

MobSF vulnerable to Open Redirect in Login Redirect ### Impact _What kind of vulnerability is it? Who is impacted?_ An open redirect vulnerability exist in MobSF authentication view. PoC 1. Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser. 2. Enter credentials and press "Sign In". 3. You will be redirected to [afine.com](http://afine.com/) Users who are not using authentication are not impacted. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Update to MobSF v4.0.5 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Disable Authentication ### References _Are there any links users can visit to find out more?_ Fix: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8 ### Reporter Marcin Węgłowski (AFINE Team)

Metadata

Created: 2024-07-31T20:54:08Z
Modified: 2024-08-02T15:58:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-8m9j-2f32-2vx4/GHSA-8m9j-2f32-2vx4.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-8m9j-2f32-2vx4
Finding: F100
Auto approve: 1