{"id":"CVE-2023-42261","details":"Mobile Security Framework (MobSF) \u003c=v3.7.8 Beta is vulnerable to Insecure Permissions. NOTE: the vendor's position is that authentication is intentionally not implemented because the product is not intended for an untrusted network environment. Use cases requiring authentication could, for example, use a reverse proxy server.","aliases":["GHSA-cc8j-6phr-jv9x","PYSEC-2023-310"],"modified":"2026-06-10T17:11:17.373173845Z","published":"2023-09-21T22:15:11.823Z","references":[{"type":"REPORT","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1211"},{"type":"REPORT","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/748"},{"type":"FIX","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/abb47659a19ac772765934f184c65fe16cb3bee7/docker-compose.yml#L30-L31"},{"type":"EVIDENCE","url":"https://github.com/woshinibaba222/hack16/blob/main/Unauthorized%20Access%20to%20MobSF.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mobsf/mobile-security-framework-mobsf","events":[{"introduced":"0"},{"last_affected":"bb700fa071c8ae8f03ccd5d132bcb8b14473a790"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.7.6"}]}}],"versions":["0.8.3","0.8.4","0.8.5","0.8.6","0.8.7","0.8.8","0.8.8.1","0.8.8.2","0.9","0.9.1","v0.9.2","v0.9.3","v0.9.3.1","v0.9.3.2","v0.9.3.3","v0.9.3.5","v0.9.3.6","v0.9.3.7","v0.9.4","v0.9.4.1","v0.9.4.2","v0.9.5","v0.9.5.2","v0.9.5.4","v0.9.5.5","v1.0.3Beta","v1.1.5","v1.1.6","v2.0.0","v3.0.0","v3.0.1","v3.0.5","v3.1.1","v3.2.6","v3.2.8","v3.2.9","v3.3.3","v3.3.5","v3.4.0","v3.4.3","v3.4.6","v3.5.0","v3.6.0","v3.6.9","v3.7.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42261.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.7.8-beta"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}