CVE-2023-42261
published 2023-09-21CVE-2023-42261: Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.69%
48.2th percentile
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opensecurity | mobile_security_framework | <= 3.7.6 | — |
| opensecurity | mobile_security_framework | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Withdrawn Advisory: Mobile Security Framework (MobSF) Vulnerable to Insecure Permissions
ghsa·2023-09-22
CVE-2023-42261 [HIGH] CWE-276 Withdrawn Advisory: Mobile Security Framework (MobSF) Vulnerable to Insecure Permissions
Withdrawn Advisory: Mobile Security Framework (MobSF) Vulnerable to Insecure Permissions
## Withdrawn Advisory
This advisory has been withdrawn because the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.
## Original Description
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions.
OSV
CVE-2023-42261: Mobile Security Framework (MobSF) <=v3
osv·2023-09-21
CVE-2023-42261 CVE-2023-42261: Mobile Security Framework (MobSF) <=v3
Mobile Security Framework (MobSF) <=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.mdhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.md
2023-09-21
Published