GHSA-8m9j-2f32-2vx4
MobSF vulnerable to Open Redirect in Login Redirect
Details
### Impact _What kind of vulnerability is it? Who is impacted?_
An open redirect vulnerability exist in MobSF authentication view.
PoC 1. Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser. 2. Enter credentials and press "Sign In". 3. You will be redirected to [afine.com](http://afine.com/)
Users who are not using authentication are not impacted.
### Patches _Has the problem been patched? What versions should users upgrade to?_
Update to MobSF v4.0.5
### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Disable Authentication
### References _Are there any links users can visit to find out more?_ Fix: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8
### Reporter Marcin Węgłowski (AFINE Team)
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8m9j-2f32-2vx4 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-41955 [ADVISORY]
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8 [WEB]
- https://github.com/MobSF/Mobile-Security-Framework-MobSF [PACKAGE]