CVE-2024-53999

Name of the Vulnerable Software and Affected Versions: Mobile Security Framework (MobSF) versions prior to 4.2.9

Description: The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff or Compare" functionality, they are affected by a Stored Cross-Site Scripting vulnerability. This issue occurs because the upload functionality allows users to upload files with special characters such as <, >, /, and " in the filename. The vulnerability can be exploited to steal information from other users or administrators when they perform the compare functionality.

Recommendations: For versions prior to 4.2.9, update to version 4.2.9 to fix the vulnerability. As a temporary workaround, consider restricting file uploads to filenames containing only whitelisted characters, such as A-Z, 0-9, and specific special characters permitted by business requirements, like - or . Additionally, avoid using the "Diff or Compare" functionality until the issue is resolved.