Lucene search
+L
OpensecurityMobile Security Framework

18 matches found

CVE
CVE
added 2025/05/05 6:23 p.m.105 views

CVE-2025-46335

The CVE-2025-46335 entry concerns Mobile Security Framework (MobSF) and describes a Stored Cross-Site Scripting (XSS) vulnerability in MobSF versions up to 4.3.2, arising from improper sanitization of user-supplied SVG files during the Android APK analysis workflow. Affected component: MobSF Andr...

8.6CVSS5.3AI score0.00251EPSS
CVE
CVE
added 2024/03/22 10:12 p.m.98 views

CVE-2024-29190

MobSF (Mobile Security Framework) vulnerability CVE-2024-29190 causes SSRF via hostname extraction in android:host when input validation is not performed in versions up to 3.9.5 Beta. The issue arises from host resolution in valid_host(), where socket.gethostbyname() can be abused with DNS rebind...

7.5CVSS7.3AI score0.00712EPSS
CVE
CVE
added 2025/03/31 4:42 p.m.87 views

CVE-2025-31116

CVE-2025-31116 relates to Mobile Security Framework (MobSF) and its valid_host() function, where DNS rebinding enables SSRF. The vulnerability arises from using socket.gethostbyname() and local/invalid-prefix checks that can be bypassed, allowing DNS-based host resolution to reach internal resour...

9.8CVSS4.6AI score0.00446EPSS
CVE
CVE
added 2024/12/03 3:33 p.m.82 views

CVE-2024-54000

CVE-2024-54000 affects MobSF prior to 3.9.7. The root cause is in _check_url using requests.get() with allow_redirects=True, enabling an SSRF when a .well-known/assetlinks.json response returns a 302 redirect. This bypasses the prior fix for CVE-2024-29190 and is fixed in MobSF 3.9.7. The connect...

7.5CVSS7.5AI score0.00407EPSS
Web
CVE
CVE
added 2025/02/05 6:41 p.m.81 views

CVE-2025-24804

CVE-2025-24804 affects MobSF (Mobile Security Framework). A flaw in the Info.plist CFBundleIdentifier parsing allows an attacker to inject special characters into the bundle ID, causing the application to fail to render content and throw a 500 error (DoS-like unavailability). The vulnerability is...

4.8CVSS6.5AI score0.00448EPSS
CVE
CVE
added 2024/04/04 4:10 p.m.80 views

CVE-2024-31215

MobSF (Mobile Security Framework) is affected by a Server-Side Request Forgery (SSRF) in the firebase database check logic. The vulnerability allows an attacker to cause the MobSF server to connect to internal-only services within the organization’s infrastructure when a malicious app is uploaded...

6.3CVSS6AI score0.0051EPSS
CVE
CVE
added 2025/02/05 6:41 p.m.78 views

CVE-2025-24805

CVE-2025-24805 concerns the Mobile Security Framework (MobSF). A local-privilege issue affects users with minimal privileges who can obtain an API token with elevated privileges, enabling access to materials scoped beyond their rights via the token mechanism (notably involving the /source_code/to...

8.5CVSS6.4AI score0.00348EPSS
CVE
CVE
added 2025/02/05 6:41 p.m.77 views

CVE-2025-24803

MobSF contains a Stored XSS in the iOS Dynamic Analyzer due to unsanitized CFBundleIdentifier input from Corellium in dynamic_analysis.html. An attacker can modify Info.plist to include special characters and trigger HTML context breaks when a malicious app is uploaded, enabling actions as users ...

8.4CVSS6.2AI score0.00373EPSS
Web
CVE
CVE
added 2024/12/03 3:39 p.m.74 views

CVE-2024-53999

MobSF suffers a Stored Cross-Site Scripting (XSS) vulnerability in the Diff or Compare functionality. The issue stems from allowing scripts in the filename parameter during file uploads, enabling a malicious actor to upload a script and trigger its execution when users invoke the diff/compare fea...

8.1CVSS7.2AI score0.00508EPSS
CVE
CVE
added 2024/07/31 7:21 p.m.73 views

CVE-2024-41955

Summary: CVE-2024-41955 affects Mobile Security Framework (MobSF). The vulnerability is an open redirect in the authentication view, potentially allowing an attacker to redirect authenticated users to a malicious site after login. Multiple sources document this as MobSF open redirect, with remedi...

5.4CVSS5.2AI score0.01EPSS
CVE
CVE
added 2025/05/05 7:32 p.m.73 views

CVE-2025-46730

MobSF (Mobile Security Framework) versions up to 4.3.2 are vulnerable to a ZIP of Death due to missing a check on the total uncompressed size of uploaded ZIP files. An attacker can craft a small ZIP that expands to gigabytes, exhausting disk space and causing a DoS affecting MobSF and other on‑ho...

6.8CVSS6.7AI score0.00411EPSS
CVE
CVE
added 2023/09/21 12:0 a.m.69 views

CVE-2023-42261

CVE-2023-42261 affects Mobile Security Framework (MobSF)

7.5CVSS7.7AI score0.00691EPSS
CVE
CVE
added 2022/10/18 12:0 a.m.60 views

CVE-2022-41547

MobSF (Mobile Security Framework) is affected up to version 0.9.2, with a local file inclusion (LFI) vulnerability in StaticAnalyzer/views.py that allows reading arbitrary files via a crafted HTTP request. The CVE notes a CVSS v3.1 base score of 7.5 (HIGH) with network attack vector, no authentic...

7.5CVSS7.3AI score0.012EPSS
CVE
CVE
added 2024/08/19 2:44 p.m.57 views

CVE-2024-43399

MobSF (Mobile Security Framework) prior to version 4.0.7 contains a Zip Slip vulnerability in the Static Libraries analysis when extracting .a files. The mitigation (decoding and string replacement) is bypassable (e.g., using sequences like ....//....//....//), allowing extraction to arbitrary se...

9.8CVSS7.6AI score0.00902EPSS
CVE
CVE
added 2025/09/02 12:45 a.m.36 views

CVE-2025-58161

MobSF (Mobile Security Framework) CVE-2025-58161: The 4.4.0 release exposes a directory traversal via GET /download/ caused by using os.path.commonprefix for path validation. An authenticated user can access files outside the DWD_DIR by requesting a path like /download////file (or equivalents tha...

5.3CVSS6.2AI score0.0073EPSS
CVE
CVE
added 2025/09/02 12:46 a.m.26 views

CVE-2025-58162

Summary: CVE-2025-58162 affects MobSF. An authenticated user uploading a specially crafted .a archive can write arbitrary files to any location writable by the MobSF process, due to improper handling of absolute paths during AR extraction (ar_extract writes Path(dst)/filtered without validating a...

6.5CVSS6.3AI score0.0056EPSS
CVE
CVE
added 2026/01/27 12:40 a.m.21 views

CVE-2026-24490

MobSF (Mobile Security Framework)

8.1CVSS6.1AI score0.0031EPSS
CVE
CVE
added 2026/03/26 8:32 p.m.14 views

CVE-2026-33545

Summary: CVE-2026-33545 affects MobSF before 4.4.6, where read_sqlite() builds SQL queries by interpolating table names from sqlite_master using Python string formatting. This enables attacker-controlled table names to cause a DoS via a PRAGMA table_info() syntax error and, in isolation, SQL inje...

6.5CVSS5.9AI score0.00276EPSS