CVE-2024-41955: MobSF vulnerable to Open Redirect in Login Redirect
An open redirect vulnerability exist in MobSF authentication view.
PoC
- Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser.
- Enter credentials and press “Sign In”.
- You will be redirected to afine.com
Users who are not using authentication are not impacted.
References
- github.com/MobSF/Mobile-Security-Framework-MobSF
- github.com/MobSF/Mobile-Security-Framework-MobSF/commit/fdaad81314f393d324c1ede79627e9d47986c8c8
- github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8m9j-2f32-2vx4
- github.com/advisories/GHSA-8m9j-2f32-2vx4
- nvd.nist.gov/vuln/detail/CVE-2024-41955
Code Behaviors & Features
Detect and mitigate CVE-2024-41955 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →