cvelistv5 - cve-2025-24803

cve-2025-24803

Vulnerability from cvelistv5

Published

2025-02-05 18:41

Modified

2025-02-12 19:41

Severity ?

8.4 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `<key>CFBundleIdentifier</key>` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References

▼	URL	Tags
	security-advisories@github.com	https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier
	security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83
	security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3

Impacted products

	Vendor	Product	Version
	MobSF	Mobile-Security-Framework-MobSF	Version: = 4.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24803",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T19:06:42.793359Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T19:41:05.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mobile-Security-Framework-MobSF",
          "vendor": "MobSF",
          "versions": [
            {
              "status": "affected",
              "version": "= 4.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-05T18:41:30.040Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3"
        },
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
        },
        {
          "name": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier"
        }
      ],
      "source": {
        "advisory": "GHSA-cxqq-w3x5-7ph3",
        "discovery": "UNKNOWN"
      },
      "title": "Stored Cross-Site Scripting (XSS) in MobSF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24803",
    "datePublished": "2025-02-05T18:41:30.040Z",
    "dateReserved": "2025-01-23T17:11:35.839Z",
    "dateUpdated": "2025-02-12T19:41:05.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-24803\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-05T19:15:46.207\",\"lastModified\":\"2025-02-05T19:15:46.207\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"PASSIVE\",\"vulnerableSystemConfidentiality\":\"HIGH\",\"vulnerableSystemIntegrity\":\"HIGH\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24803\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-05T19:06:42.793359Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T19:39:15.840Z\"}}], \"cna\": {\"title\": \"Stored Cross-Site Scripting (XSS) in MobSF\", \"source\": {\"advisory\": \"GHSA-cxqq-w3x5-7ph3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"MobSF\", \"product\": \"Mobile-Security-Framework-MobSF\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 4.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3\", \"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83\", \"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier\", \"name\": \"https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\\u2013Z, a\\u2013z, and 0\\u20139), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-05T18:41:30.040Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-24803\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T19:41:05.505Z\", \"dateReserved\": \"2025-01-23T17:11:35.839Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-05T18:41:30.040Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-24803

Vulnerability from fkie_nvd

Published

2025-02-05 19:15

Modified

2025-02-05 19:15

Severity ?

8.4 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier
	security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83
	security-advisories@github.com	https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Mobile Security Framework (MobSF) es un framework automatizado y todo en uno para pruebas de penetraci\u00f3n, an\u00e1lisis de malware y evaluaci\u00f3n de seguridad de aplicaciones m\u00f3viles (Android/iOS/Windows). Seg\u00fan la documentaci\u00f3n de Apple para los identificadores de paquete, estos deben contener solo caracteres alfanum\u00e9ricos (A\u2013Z, a\u2013z y 0\u20139), guiones (-) y puntos (.). Sin embargo, un atacante puede modificar manualmente este valor en el archivo `Info.plist` y agregar caracteres especiales al valor `CFBundleIdentifier`. El archivo `dynamic_analysis.html` no desinfecta el valor del paquete recibido de Corellium y, como resultado, es posible romper el contexto HTML y lograr XSS almacenado. Este problema se ha solucionado en la versi\u00f3n 4.3.1 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2025-24803",
  "lastModified": "2025-02-05T19:15:46.207",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "automatable": "NOT_DEFINED",
          "availabilityRequirements": "NOT_DEFINED",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityRequirements": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirements": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubsequentSystemAvailability": "NOT_DEFINED",
          "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
          "modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnerableSystemAvailability": "NOT_DEFINED",
          "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
          "modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "NOT_DEFINED",
          "recovery": "NOT_DEFINED",
          "safety": "NOT_DEFINED",
          "subsequentSystemAvailability": "NONE",
          "subsequentSystemConfidentiality": "NONE",
          "subsequentSystemIntegrity": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "vulnerableSystemAvailability": "NONE",
          "vulnerableSystemConfidentiality": "HIGH",
          "vulnerableSystemIntegrity": "HIGH"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-05T19:15:46.207",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-cxqq-w3x5-7ph3

Vulnerability from github

Published

2025-02-05 20:56

Modified

2025-02-05 21:45

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Summary

MobSF Stored Cross-Site Scripting (XSS)

Details

Product: MobSF Version: < 4.3.1 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) Description: Stored XSS in the iOS Dynamic Analyzer functionality. Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users. Vulnerable component: dynamic_analysis.html https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406 Exploitation conditions: A malicious application was uploaded to the Correlium. Mitigation: Use escapeHtml() function on the bundle variable. Researcher: Oleg Surnin (Positive Technologies)

Research

Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). (https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier) However, an attacker can manually modify this value in Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value. In the dynamic_analysis.html file you do not sanitize received bundle value from Corellium https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406

Figure 1. Unsanitized bundle

As a result, it is possible to break the HTML context and achieve Stored XSS.

Vulnerability reproduction

To reproduce the vulnerability, follow the steps described below.

• Unzip the IPA file of any iOS application. Listing 1. Unzipping the file unzip test.ipa • Modify the value of <key>CFBundleIdentifier</key> by adding restricted characters in the Info.plist file.

Figure 2. Example of the modified Bundle Identifier

• Zip the modified IPA file.

Listing 2. Zipping the file zip -r xss.ipa Payload/ • Upload the modified IPA file to your virtual device using the Correlium platform.

Figure 3. Example of the uploaded malicious application

• Open the XSS functionality and hover the mouse over the Uninstall button of the malicious app.

Figure 4. Example of the 'Uninstall' button

Figure 5. Example of the XSS

Figure 6. Example of the vulnerable code

Please, assign all credits to: Oleg Surnin (Positive Technologies)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-05T20:56:39Z",
    "nvd_published_at": "2025-02-05T19:15:46Z",
    "severity": "HIGH"
  },
  "details": "**Product:** MobSF\n**Version:** \u003c 4.3.1\n**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.4.0:** 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)\n**Description:** Stored XSS in the iOS Dynamic Analyzer functionality.\n**Impact:** Leveraging this vulnerability would enable performing actions as users, including administrative users.\n**Vulnerable component:** `dynamic_analysis.html` \nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406\n**Exploitation conditions:** A malicious application was uploaded to the Correlium.\n**Mitigation:** Use `escapeHtml()` function on the `bundle` variable.\n**Researcher: Oleg Surnin (Positive Technologies)**\n\n## Research\nResearcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality.\nAccording to Apple\u0027s documentation for bundle ID\u0027s, it must contain only alphanumeric characters (A\u2013Z, a\u2013z, and 0\u20139), hyphens (-), and periods (.).\n(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)\nHowever, an attacker can manually modify this value in `Info.plist` file and add special characters to the `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` value.\nIn the `dynamic_analysis.html` file you do not sanitize received bundle value from Corellium \nhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406\n\n\u003cimg width=\"1581\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8400f872-46c0-406c-9dd6-97655e499b75\" /\u003e\n\n*Figure 1. Unsanitized bundle*\n\nAs a result, it is possible to break the HTML context and achieve Stored XSS.\n\n## Vulnerability reproduction\n\nTo reproduce the vulnerability, follow the steps described below.\n\n\u2022\tUnzip the IPA file of any iOS application.\n*Listing 1. Unzipping the file*\n```\nunzip test.ipa\n```\n\u2022\tModify the value of `\u003ckey\u003eCFBundleIdentifier\u003c/key\u003e` by adding restricted characters in the `Info.plist` file.\n\n\u003cimg width=\"560\" alt=\"image-1\" src=\"https://github.com/user-attachments/assets/3eedf216-45ab-4d73-9815-6b02827d36d4\" /\u003e\n\n*Figure 2. Example of the modified Bundle Identifier*\n\n\u2022\tZip the modified IPA file.\n\n*Listing 2. Zipping the file*\n```\nzip -r xss.ipa Payload/\n```\n\u2022\tUpload the modified IPA file to your virtual device using the Correlium platform.\n \n\u003cimg width=\"762\" alt=\"image-2\" src=\"https://github.com/user-attachments/assets/7f3e8b0d-d1f9-4d86-b63b-9b3f9e8f1d0c\" /\u003e\n\n*Figure 3. Example of the uploaded malicious application*\n\n\u2022\tOpen the XSS functionality and hover the mouse over the Uninstall button of the malicious app.\n\n\u003cimg width=\"764\" alt=\"image-3\" src=\"https://github.com/user-attachments/assets/fd621574-f2c1-42be-b30a-e8e7445c6b13\" /\u003e\n\n*Figure 4. Example of the \u0027Uninstall\u0027 button*\n\n \u003cimg width=\"652\" alt=\"image-4\" src=\"https://github.com/user-attachments/assets/73526f71-6d39-4a94-98bf-8a867aa9acc7\" /\u003e\n \n*Figure 5. Example of the XSS*\n \n\u003cimg width=\"460\" alt=\"image-5\" src=\"https://github.com/user-attachments/assets/13e6a1fc-59be-492d-8e42-a5a8010fc4c3\" /\u003e\n\n*Figure 6. Example of the vulnerable code*\n\n___________________________\n\n### Please, assign all credits to: Oleg Surnin (Positive Technologies)",
  "id": "GHSA-cxqq-w3x5-7ph3",
  "modified": "2025-02-05T21:45:22Z",
  "published": "2025-02-05T20:56:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-cxqq-w3x5-7ph3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/05206e72cae35b311615a70e51e1a946955c5e83"
    },
    {
      "type": "WEB",
      "url": "https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MobSF Stored Cross-Site Scripting (XSS)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2025-24803

Vulnerability from cvelistv5

fkie_cve-2025-24803

Vulnerability from fkie_nvd

ghsa-cxqq-w3x5-7ph3

Vulnerability from github

Research

Vulnerability reproduction

Please, assign all credits to: Oleg Surnin (Positive Technologies)

Tags

Sightings

Nomenclature