Ldomenx

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework (MobSF) versions prior to 4.2.9 Description: The application allows users to upload files with scripts in the `filename` parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff or Compare" functionality, they are affected by a Stored Cross-Site Scripting vulnerability. This issue occurs because the upload functionality allows users to upload files with special characters such as `<`, `>`, `/`, and `"` in the `filename`. The vulnerability can be exploited to steal information from other users or administrators when they perform the compare functionality. Recommendations: For versions prior to 4.2.9, update to version 4.2.9 to fix the vulnerability. As a temporary workaround, consider restricting file uploads to filenames containing only whitelisted characters, such as A-Z, 0-9, and specific special characters permitted by business requirements, like `-` or ` `. Additionally, avoid using the "Diff or Compare" functionality until the issue is resolved.