Upon reviewing the MobSF source code, I identified a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented. Since the implemented measure can be bypassed, the vulnerability allows an attacker to extract files to any desired location within the server running MobSF.
An open redirect vulnerability exist in MobSF authentication view. PoC Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser. Enter credentials and press "Sign In". You will be redirected to afine.com Users who are not using authentication are not impacted.
What kind of vulnerability is it? Who is impacted? SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests. Credits: Oleg Surnin (Positive Technologies).
Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the StaticAnalyzer/views.py script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.