Stored Cross-Site Scripting (XSS) in MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.). However, an attacker can manually modify this value in the `Info.plist` file and add special characters to the `<key>CFBundleIdentifier</key>` value. The `dynamic_analysis.html` file does not sanitize the received bundle value from Corellium and as a result, it is possible to break the HTML context and achieve Stored XSS. This issue has been addressed in version 4.3.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Mobile Security Framework 跨站脚本漏洞

Mobile Security Framework（MobSF）是Mobile Security Framework开源的一种自动化的一体化移动应用程序。用于渗透测试、恶意软件分析和安全评估，能够执行静态和动态分析。 Mobile Security Framework (MobSF)存在跨站脚本漏洞，该漏洞源于Info.plist文件中的值可被攻击者手动添加特殊字符，容易受到存储型跨站脚本攻击。

N/A

N/A