CVE-2024-41955
MEDIUM5.2EPSS 14.8%MobSF vulnerable to Open Redirect in Login Redirect
Description
### Impact _What kind of vulnerability is it? Who is impacted?_ An open redirect vulnerability exist in MobSF authentication view. PoC 1. Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser. 2. Enter credentials and press "Sign In". 3. You will be redirected to [afine.com](http://afine.com/) Users who are not using authentication are not impacted. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Update to MobSF v4.0.5 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Disable Authentication ### References _Are there any links users can visit to find out more?_ Fix: https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8 ### Reporter Marcin Węgłowski (AFINE Team)
Affected packages (1)
- PyPI/mobsffrom 0, < 4.0.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N |
References (4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-41955
- PATCHhttps://github.com/MobSF/Mobile-Security-Framework-MobSF
- WEBhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8
- WEBhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8m9j-2f32-2vx4