Oleg Surnin

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework (MobSF) versions prior to 4.3.1 Description: The issue concerns a stored cross-site scripting (XSS) vulnerability in the iOS Dynamic Analyzer functionality of the Mobile Security Framework (MobSF). According to Apple's documentation, bundle IDs must contain only alphanumeric characters, hyphens, and periods. However, an attacker can manually modify the `CFBundleIdentifier` value in the `Info.plist` file to include special characters. The `dynamic analysis.html` file does not sanitize the received bundle value from Corellium, allowing an attacker to break the HTML context and achieve stored XSS. This could enable an attacker to perform actions as users, including administrative users. The vulnerability can be exploited by uploading a malicious application to Corellium. Recommendations: For versions prior to 4.3.1, update to version 4.3.1 to resolve the issue. As a temporary workaround, consider using the `escapeHtml()` function on the `bundle` variable to sanitize the input. Restrict access to the `dynamic analysis.html` file to minimize the risk of exploitation. Avoid using the `CFBundleIdentifier` value in the `Info.plist` file without proper sanitization until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework (MobSF) versions prior to 4.3.1 Description: The issue arises when an attacker manually modifies the `CFBundleIdentifier` value in the `Info.plist` file by adding special characters, which are not allowed according to Apple's documentation. This causes the application to encounter an error when parsing the incorrect characters in the bundle ID, resulting in a 500 error and preventing content from being displayed. The only way to resolve this is to manually remove the malicious application from the system. Recommendations: For versions prior to 4.3.1, upgrade to version 4.3.1 to address the issue. As a temporary workaround, consider manually checking the uploaded bundle IDs against the regex to prevent the error. Additionally, restrict access to the `urls.py` file to minimize the risk of exploitation. Avoid using the `CFBundleIdentifier` value in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Mobile Security Framework (MobSF) versions prior to 3.9.8 **Description** A Server-Side Request Forgery (SSRF) vulnerability exists in the firebase database check logic of the Mobile Security Framework (MobSF). This allows an attacker to cause the server to make a connection to internal-only services within the organization's infrastructure. When a malicious app is uploaded to the Static analyzer, it is possible to make internal requests. **Recommendations** For versions prior to 3.9.8, update to version 3.9.8 or above to resolve the issue. As a temporary workaround, consider applying a code-level patch until a official patch is available.