Noname1337H1

**Name of the Vulnerable Software and Affected Versions** MobSF version 4.4.0 **Description** The GET /download/ route uses string path verification via `os.path.commonprefix`, which allows an authenticated user to download files outside the intended download directory from neighboring directories with similar path prefixes. This is a directory traversal issue leading to a data leak. **Recommendations** Update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** MobSF version 4.4.0 **Description** MobSF is a mobile application security testing tool. An authenticated user who uploaded a specially prepared one.a file could write arbitrary files to any directory writable by the user of the MobSF process. This issue was addressed in version 4.4.1. **Recommendations** Update to version 4.4.1 or later.