GHSA-cxqq-w3x5-7ph3

Source

https://github.com/advisories/GHSA-cxqq-w3x5-7ph3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-cxqq-w3x5-7ph3/GHSA-cxqq-w3x5-7ph3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cxqq-w3x5-7ph3

Aliases

CVE-2025-24803

Published

2025-02-05T20:56:39Z

Modified

2025-02-05T22:02:10.002275Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

MobSF Stored Cross-Site Scripting (XSS)

Details

Product: MobSF Version: < 4.3.1 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) Description: Stored XSS in the iOS Dynamic Analyzer functionality. Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users. Vulnerable component: dynamic_analysis.html https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamicanalysis/ios/dynamicanalysis.html#L406 Exploitation conditions: A malicious application was uploaded to the Correlium. Mitigation: Use escapeHtml() function on the bundle variable. Researcher: Oleg Surnin (Positive Technologies)

Research

Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). (https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier) However, an attacker can manually modify this value in Info.plist file and add special characters to the <key>CFBundleIdentifier</key> value. In the dynamic_analysis.html file you do not sanitize received bundle value from Corellium https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamicanalysis/ios/dynamicanalysis.html#L406

Figure 1. Unsanitized bundle

As a result, it is possible to break the HTML context and achieve Stored XSS.

Vulnerability reproduction

To reproduce the vulnerability, follow the steps described below.

• Unzip the IPA file of any iOS application. Listing 1. Unzipping the file

unzip test.ipa

• Modify the value of <key>CFBundleIdentifier</key> by adding restricted characters in the Info.plist file.

Figure 2. Example of the modified Bundle Identifier

• Zip the modified IPA file.

Listing 2. Zipping the file

zip -r xss.ipa Payload/

• Upload the modified IPA file to your virtual device using the Correlium platform.

Figure 3. Example of the uploaded malicious application

• Open the XSS functionality and hover the mouse over the Uninstall button of the malicious app.

Figure 4. Example of the 'Uninstall' button

Figure 5. Example of the XSS

Figure 6. Example of the vulnerable code

Please, assign all credits to: Oleg Surnin (Positive Technologies)

Database specific

{
    "nvd_published_at": "2025-02-05T19:15:46Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-05T20:56:39Z"
}

References

Affected packages

PyPI / mobsf

Package

Name: mobsf; View open source insights on deps.dev
Purl: pkg:pypi/mobsf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.1

Affected versions

3.*

3.2.6

3.2.7

3.2.8

3.2.9

3.3.3

3.3.5

3.4.0

3.4.3

3.4.6

3.5.0

3.6.0

3.6.9

3.7.6

3.9.7

4.*

4.1.3

4.3.0

Database specific

{
    "last_known_affected_version_range": "<= 4.3.0"
}