MobSF has Stored XSS via Manifest Analysis - Dialer Code Hos...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: GHSA-8hf7-h89p-3pqj
• Blog Title: MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
• Suggested Section: Pentesting Web -> XSS (Cross Site Scripting) -> Stored XSS (add subsection: Stored XSS via report generation / unsafe templating sinks like Django |safe; entity-encoded payloads in XML/manifest parsing pipelines)

🎯 Content Summary

Overview
This advisory documents a Stored Cross-Site Scripting (Stored XSS) in MobSF (Mobile Security Framework) during Android manifest analysis. It affects pip package mobsf versions < 4.4.5 and is fixed in 4.4.5. Identifiers: CVE-2026-24490 / GHSA-8hf7-h89p-3pqj. Severity is High, with CVSS v3.1: 8.1 and vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N. Weakness: CWE-79 (XSS).

### How the feature works (manifest analysis → find...

🔧 Technical Details

Stored XSS via “report generation pipeline”: if an application (1) parses a user-supplied artifact (e.g., APK), (2) extracts attacker-controlled fields (e.g., AndroidManifest.xml attributes), (3) interpolates them into HTML-facing strings (e.g., Python % formatting into a title field), and (4) renders them with an explicit “no-escape” sink (e.g., Django template |safe), then an attacker can persist an HTML/JS payload that executes whenever any user opens the generated report. A practical technique is placing an entity-encoded HTML tag inside an XML attribute (e.g., <img src=x onerror=...>) so it becomes active markup once the application disables output escaping.

🤖 Agent Actions

Summary:

• Added a new subsection on stored XSS in generated reports when templating disables escaping, detailing the data flow, exploitation with entity-encoded payloads, and hunting tips.
• Updated references to include the MobSF manifest-analysis advisory relevant to the new stored XSS pattern.

Tests:

• Not run (not applicable for documentation changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: GHSA-8hf7-h89p-3pqj

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XSS (Cross Site Scripting) -> Stored XSS (add subsection: Stored XSS via report generation / unsafe templating sinks like Django |safe; entity-encoded payloads in XML/manifest parsing pipelines)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0