A critical vulnerability has been identified in the Mobile Security Framework (MobSF) that allows attackers to inject malicious scripts into the system.
This vulnerability, CVE-2024-53999 is a Stored Cross-Site Scripting (XSS) flaw found in the “Diff or Compare” functionality, which occurs due to improper handling of file uploads with script-laden filenames.
The vulnerability was discovered in MobSF version 4.2.8 in Github, where the application allows users to upload files with scripts embedded in the filename parameter.
Specifically, the issue arises because the upload feature permits filenames containing special characters such as <, >, /, and “. Such oversights make it possible for a malicious user to upload a script file and set its name to a script value, which the server accepts without validation.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
This oversight can potentially be mitigated by implementing stricter filename validation. By restricting file uploads to filenames containing only whitelisted characters—such as A-Z, 0-9, and specific special characters like – or _ that are permitted by business requirements—this risk could be significantly reduced.
To illustrate this vulnerability, a proof of concept was created with the following steps:
The impact of this vulnerability is significant. By allowing a malicious script to be stored in the system via the filename parameter, attackers can access sensitive information belonging to other users or administrators during the comparison process.
This flaw not only compromises data confidentiality but also poses a persistent threat as the injected script remains stored in the system.
The MobSF team is urged to implement immediate fixes by validating and sanitizing filename inputs to prevent such vulnerabilities.
In the meantime, users are advised to exercise caution and apply any patches or updates released by the MobSF developers to mitigate these security risks.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…