MobSF Path Traversal in GET /download/<filename> using absolute filenames

MobSF is a mobile application security testing tool used. In version 4.4.0, the GET /download/ route uses string path verification via os.path.commonprefix, which allows an authenticated user to download files outside the DWD_DIR download directory from "neighboring" directories whose absolute paths begin with the same prefix as DWD_DIR (e.g., .../downloads_bak, .../downloads.old). This is a Directory Traversal (escape) leading to a data leak. This issue has been patched in version 4.4.1.

N/A

对路径名的限制不恰当(路径遍历)

Mobile Security Framework 路径遍历漏洞

Mobile Security Framework（MobSF）是Mobile Security Framework开源的一种自动化的一体化移动应用程序。用于渗透测试、恶意软件分析和安全评估，能够执行静态和动态分析。 Mobile Security Framework 4.4.0版本存在路径遍历漏洞，该漏洞源于GET /download/路由路径验证不当，可能导致目录遍历和数据泄露。

N/A

N/A