CWE-926
Improper Export of Android Application Components
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
CVE-2025-8275 (GCVE-0-2025-8275)
Vulnerability from cvelistv5 – Published: 2025-07-28 12:02 – Updated: 2025-07-28 13:28
VLAI
Title
bsc Peru Cocktails App bsc.devy.peru_cocktails AndroidManifest.xml improper export of android application components
Summary
A vulnerability, which was classified as problematic, has been found in bsc Peru Cocktails App 1.0.0 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component bsc.devy.peru_cocktails. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.317864 | vdb-entry |
| https://vuldb.com/?ctiid.317864 | signaturepermissions-required |
| https://vuldb.com/?submit.623582 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/b… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bsc | Peru Cocktails App |
Affected:
1.0.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8275",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T13:28:27.220654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T13:28:40.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"bsc.devy.peru_cocktails"
],
"product": "Peru Cocktails App",
"vendor": "bsc",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in bsc Peru Cocktails App 1.0.0 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component bsc.devy.peru_cocktails. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in bsc Peru Cocktails App 1.0.0 f\u00fcr Android entdeckt. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei AndroidManifest.xml der Komponente bsc.devy.peru_cocktails. Durch Manipulieren mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T12:02:05.803Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-317864 | bsc Peru Cocktails App bsc.devy.peru_cocktails AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.317864"
},
{
"name": "VDB-317864 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.317864"
},
{
"name": "Submit #623582 | bsc inc Peru Cocktails(bsc.devy.peru_cocktails) 1.0.0 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.623582"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/bsc.devy.peru_cocktails.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-27T20:48:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "bsc Peru Cocktails App bsc.devy.peru_cocktails AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8275",
"datePublished": "2025-07-28T12:02:05.803Z",
"dateReserved": "2025-07-27T18:42:57.624Z",
"dateUpdated": "2025-07-28T13:28:40.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8512 (GCVE-0-2025-8512)
Vulnerability from cvelistv5 – Published: 2025-08-03 14:02 – Updated: 2025-08-04 18:37
VLAI
Title
TVB Big Big Shop App hk.com.tvb.bigbigshop AndroidManifest.xml improper export of android application components
Summary
A vulnerability, which was classified as problematic, has been found in TVB Big Big Shop App 2.9.0 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component hk.com.tvb.bigbigshop. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318611 | vdb-entry |
| https://vuldb.com/?ctiid.318611 | signaturepermissions-required |
| https://vuldb.com/?submit.619028 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/h… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TVB | Big Big Shop App |
Affected:
2.9.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8512",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T18:37:17.616301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T18:37:38.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"hk.com.tvb.bigbigshop"
],
"product": "Big Big Shop App",
"vendor": "TVB",
"versions": [
{
"status": "affected",
"version": "2.9.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in TVB Big Big Shop App 2.9.0 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component hk.com.tvb.bigbigshop. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in TVB Big Big Shop App 2.9.0 f\u00fcr Android entdeckt. Sie wurde als problematisch eingestuft. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei AndroidManifest.xml der Komponente hk.com.tvb.bigbigshop. Durch das Manipulieren mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Umgesetzt werden muss der Angriff lokal. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T14:02:05.823Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318611 | TVB Big Big Shop App hk.com.tvb.bigbigshop AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318611"
},
{
"name": "VDB-318611 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318611"
},
{
"name": "Submit #619028 | Big Big Channel Limited big big shop 2.9.0 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.619028"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/hk.com.tvb.bigbigshop.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-02T17:39:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "TVB Big Big Shop App hk.com.tvb.bigbigshop AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8512",
"datePublished": "2025-08-03T14:02:05.823Z",
"dateReserved": "2025-08-02T15:34:28.416Z",
"dateUpdated": "2025-08-04T18:37:38.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8513 (GCVE-0-2025-8513)
Vulnerability from cvelistv5 – Published: 2025-08-03 14:32 – Updated: 2025-08-04 18:35
VLAI
Title
Caixin News App com.caixin.news AndroidManifest.xml improper export of android application components
Summary
A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318612 | vdb-entry |
| https://vuldb.com/?ctiid.318612 | signaturepermissions-required |
| https://vuldb.com/?submit.619029 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8513",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T18:35:01.990923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T18:35:28.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.caixin.news"
],
"product": "News App",
"vendor": "Caixin",
"versions": [
{
"status": "affected",
"version": "8.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Caixin News App 8.0.1 f\u00fcr Android gefunden. Sie wurde als problematisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei AndroidManifest.xml der Komponente com.caixin.news. Durch Manipulieren mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-03T14:32:05.191Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318612 | Caixin News App com.caixin.news AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318612"
},
{
"name": "VDB-318612 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318612"
},
{
"name": "Submit #619029 | Caixin Media Company Limited Caixin News 8.0.1 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.619029"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.caixin.news.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-02T17:41:34.000Z",
"value": "VulDB entry last update"
}
],
"title": "Caixin News App com.caixin.news AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8513",
"datePublished": "2025-08-03T14:32:05.191Z",
"dateReserved": "2025-08-02T15:35:58.887Z",
"dateUpdated": "2025-08-04T18:35:28.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8523 (GCVE-0-2025-8523)
Vulnerability from cvelistv5 – Published: 2025-08-04 19:32 – Updated: 2025-08-04 19:59
VLAI
Title
RiderLike Fruit Crush-Brain App com.fruitcrush.fun AndroidManifest.xml improper export of android application components
Summary
A vulnerability has been found in RiderLike Fruit Crush-Brain App 1.0 on Android and classified as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.fruitcrush.fun. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318649 | vdb-entry |
| https://vuldb.com/?ctiid.318649 | signaturepermissions-required |
| https://vuldb.com/?submit.619035 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| RiderLike | Fruit Crush-Brain App |
Affected:
1.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8523",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T19:59:47.414372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T19:59:57.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.fruitcrush.fun"
],
"product": "Fruit Crush-Brain App",
"vendor": "RiderLike",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in RiderLike Fruit Crush-Brain App 1.0 on Android and classified as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.fruitcrush.fun. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In RiderLike Fruit Crush-Brain App 1.0 f\u00fcr Android wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei AndroidManifest.xml der Komponente com.fruitcrush.fun. Dank Manipulation mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T19:32:05.733Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318649 | RiderLike Fruit Crush-Brain App com.fruitcrush.fun AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318649"
},
{
"name": "VDB-318649 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318649"
},
{
"name": "Submit #619035 | RiderLike Fruit Crush-Brain 1.0.0 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.619035"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.fruitcrush.fun.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:37:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "RiderLike Fruit Crush-Brain App com.fruitcrush.fun AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8523",
"datePublished": "2025-08-04T19:32:05.733Z",
"dateReserved": "2025-08-04T06:32:55.900Z",
"dateUpdated": "2025-08-04T19:59:57.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8524 (GCVE-0-2025-8524)
Vulnerability from cvelistv5 – Published: 2025-08-04 20:02 – Updated: 2025-08-04 20:17
VLAI
Title
Boquan DotWallet App com.boquanhash.dotwallet AndroidManifest.xml improper export of android application components
Summary
A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.318650 | vdb-entry |
| https://vuldb.com/?ctiid.318650 | signaturepermissions-required |
| https://vuldb.com/?submit.619037 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Boquan | DotWallet App |
Affected:
2.15.2
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8524",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T20:15:34.549608Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T20:17:54.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.boquanhash.dotwallet"
],
"product": "DotWallet App",
"vendor": "Boquan",
"versions": [
{
"status": "affected",
"version": "2.15.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Boquan DotWallet App 2.15.2 f\u00fcr Android gefunden. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei AndroidManifest.xml der Komponente com.boquanhash.dotwallet. Mit der Manipulation mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T20:02:05.674Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-318650 | Boquan DotWallet App com.boquanhash.dotwallet AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.318650"
},
{
"name": "VDB-318650 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.318650"
},
{
"name": "Submit #619037 | Boquan DotWallet(com.boquanhash.dotwallet) 2.15.2 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.619037"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.boquanhash.dotwallet.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-04T08:42:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "Boquan DotWallet App com.boquanhash.dotwallet AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8524",
"datePublished": "2025-08-04T20:02:05.674Z",
"dateReserved": "2025-08-04T06:37:00.383Z",
"dateUpdated": "2025-08-04T20:17:54.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8707 (GCVE-0-2025-8707)
Vulnerability from cvelistv5 – Published: 2025-08-08 02:02 – Updated: 2025-08-08 18:56
VLAI
Title
Huuge Box App com.huuge.game.zjbox AndroidManifest.xml improper export of android application components
Summary
A vulnerability was found in Huuge Box App 1.0.3 on Android. It has been classified as problematic. This affects an unknown part of the file AndroidManifest.xml of the component com.huuge.game.zjbox. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.319137 | vdb-entry |
| https://vuldb.com/?ctiid.319137 | signaturepermissions-required |
| https://vuldb.com/?submit.619858 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | related |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8707",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-08T18:56:12.606990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T18:56:15.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.huuge.game.zjbox.md#steps-to-reproduce"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.huuge.game.zjbox.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.huuge.game.zjbox"
],
"product": "Box App",
"vendor": "Huuge",
"versions": [
{
"status": "affected",
"version": "1.0.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Huuge Box App 1.0.3 on Android. It has been classified as problematic. This affects an unknown part of the file AndroidManifest.xml of the component com.huuge.game.zjbox. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Huuge Box App 1.0.3 f\u00fcr Android ausgemacht. Sie wurde als problematisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei AndroidManifest.xml der Komponente com.huuge.game.zjbox. Mittels dem Manipulieren mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-08T02:02:06.472Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-319137 | Huuge Box App com.huuge.game.zjbox AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.319137"
},
{
"name": "VDB-319137 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.319137"
},
{
"name": "Submit #619858 | Paulet team Huuge Box(com.huuge.game.zjbox) 1.0.3 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.619858"
},
{
"tags": [
"related"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.huuge.game.zjbox.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.huuge.game.zjbox.md#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-07T16:16:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "Huuge Box App com.huuge.game.zjbox AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8707",
"datePublished": "2025-08-08T02:02:06.472Z",
"dateReserved": "2025-08-07T14:11:23.335Z",
"dateUpdated": "2025-08-08T18:56:15.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8745 (GCVE-0-2025-8745)
Vulnerability from cvelistv5 – Published: 2025-08-09 05:02 – Updated: 2025-08-11 18:33
VLAI
Title
Weee RICEPO App com.ricepo.app AndroidManifest.xml improper export of android application components
Summary
A vulnerability, which was classified as problematic, has been found in Weee RICEPO App 6.17.77 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.ricepo.app. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.319241 | vdb-entry |
| https://vuldb.com/?ctiid.319241 | signaturepermissions-required |
| https://vuldb.com/?submit.623581 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | related |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Weee | RICEPO App |
Affected:
6.17.77
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8745",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T18:11:52.847613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T18:33:45.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.ricepo.app.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.ricepo.app"
],
"product": "RICEPO App",
"vendor": "Weee",
"versions": [
{
"status": "affected",
"version": "6.17.77"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in Weee RICEPO App 6.17.77 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.ricepo.app. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Weee RICEPO App 6.17.77 f\u00fcr Android entdeckt. Sie wurde als problematisch eingestuft. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei AndroidManifest.xml der Komponente com.ricepo.app. Durch Beeinflussen mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Umgesetzt werden muss der Angriff lokal. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T05:02:05.495Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-319241 | Weee RICEPO App com.ricepo.app AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.319241"
},
{
"name": "VDB-319241 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.319241"
},
{
"name": "Submit #623581 | Ricepo LLC RICEPO by Weee(com.ricepo.app) 6.17.77 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.623581"
},
{
"tags": [
"related"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.ricepo.app.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.ricepo.app.md#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-08T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-08T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-08T11:04:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "Weee RICEPO App com.ricepo.app AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8745",
"datePublished": "2025-08-09T05:02:05.495Z",
"dateReserved": "2025-08-08T08:58:52.773Z",
"dateUpdated": "2025-08-11T18:33:45.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9093 (GCVE-0-2025-9093)
Vulnerability from cvelistv5 – Published: 2025-08-17 22:02 – Updated: 2025-08-18 13:13
VLAI
Title
BuzzFeed App com.buzzfeed.android AndroidManifest.xml improper export of android application components
Summary
A security vulnerability has been detected in BuzzFeed App 2024.9 on Android. This affects an unknown part of the file AndroidManifest.xml of the component com.buzzfeed.android. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.320415 | vdb-entry |
| https://vuldb.com/?ctiid.320415 | signaturepermissions-required |
| https://vuldb.com/?submit.623584 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | related |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | BuzzFeed App |
Affected:
2024.9
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9093",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T13:13:44.953759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T13:13:48.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.buzzfeed.android.md#steps-to-reproduce"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.buzzfeed.android.md"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.buzzfeed.android"
],
"product": "BuzzFeed App",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2024.9"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in BuzzFeed App 2024.9 on Android. This affects an unknown part of the file AndroidManifest.xml of the component com.buzzfeed.android. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In BuzzFeed App 2024.9 auf Android ist eine Schwachstelle entdeckt worden. Es betrifft eine unbekannte Funktion der Datei AndroidManifest.xml der Komponente com.buzzfeed.android. Durch das Manipulieren mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-17T22:02:06.368Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320415 | BuzzFeed App com.buzzfeed.android AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.320415"
},
{
"name": "VDB-320415 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320415"
},
{
"name": "Submit #623584 | BuzzFeed BuzzFeed(com.buzzfeed.android) 2024.9 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.623584"
},
{
"tags": [
"related"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.buzzfeed.android.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.buzzfeed.android.md#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-17T14:42:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "BuzzFeed App com.buzzfeed.android AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9093",
"datePublished": "2025-08-17T22:02:06.368Z",
"dateReserved": "2025-08-17T12:36:56.626Z",
"dateUpdated": "2025-08-18T13:13:48.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9097 (GCVE-0-2025-9097)
Vulnerability from cvelistv5 – Published: 2025-08-18 00:02 – Updated: 2025-08-18 17:13
VLAI
Title
Euro Information CIC banque et compte en ligne App com.cic_prod.bad AndroidManifest.xml improper export of android application components
Summary
A vulnerability was found in Euro Information CIC banque et compte en ligne App 12.56.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cic_prod.bad. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.320419 | vdb-entry |
| https://vuldb.com/?ctiid.320419 | signaturepermissions-required |
| https://vuldb.com/?submit.627899 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | related |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Euro Information | CIC banque et compte en ligne App |
Affected:
12.56.0
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9097",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T17:12:48.337228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T17:13:45.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"com.cic_prod.bad"
],
"product": "CIC banque et compte en ligne App",
"vendor": "Euro Information",
"versions": [
{
"status": "affected",
"version": "12.56.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Euro Information CIC banque et compte en ligne App 12.56.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cic_prod.bad. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In Euro Information CIC banque et compte en ligne App 12.56.0 auf Android ist eine Schwachstelle entdeckt worden. Hierbei betrifft es unbekannten Programmcode der Datei AndroidManifest.xml der Komponente com.cic_prod.bad. Dank der Manipulation mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T00:02:05.870Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320419 | Euro Information CIC banque et compte en ligne App com.cic_prod.bad AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.320419"
},
{
"name": "VDB-320419 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320419"
},
{
"name": "Submit #627899 | Euro Information CIC banque(com.cic_prod.bad) 12.56.0 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.627899"
},
{
"tags": [
"related"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.cic_prod.bad.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.cic_prod.bad.md#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-17T15:18:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "Euro Information CIC banque et compte en ligne App com.cic_prod.bad AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9097",
"datePublished": "2025-08-18T00:02:05.870Z",
"dateReserved": "2025-08-17T13:13:08.031Z",
"dateUpdated": "2025-08-18T17:13:45.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9098 (GCVE-0-2025-9098)
Vulnerability from cvelistv5 – Published: 2025-08-18 00:32 – Updated: 2025-08-18 16:48
VLAI
Title
Elseplus File Recovery App AndroidManifest.xml improper export of android application components
Summary
A vulnerability was determined in Elseplus File Recovery App 4.4.21 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
CWE
- CWE-926 - Improper Export of Android Application Components
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.320420 | vdb-entry |
| https://vuldb.com/?ctiid.320420 | signaturepermissions-required |
| https://vuldb.com/?submit.627902 | third-party-advisory |
| https://github.com/KMov-g/androidapps/blob/main/c… | related |
| https://github.com/KMov-g/androidapps/blob/main/c… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Elseplus | File Recovery App |
Affected:
4.4.21
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9098",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-18T16:48:38.121192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T16:48:46.237Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "File Recovery App",
"vendor": "Elseplus",
"versions": [
{
"status": "affected",
"version": "4.4.21"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fxizenta (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Elseplus File Recovery App 4.4.21 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in Elseplus File Recovery App 4.4.21 auf Android gefunden. Davon betroffen ist unbekannter Code der Datei AndroidManifest.xml. Dank Manipulation mit unbekannten Daten kann eine improper export of android application components-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-18T00:32:05.703Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320420 | Elseplus File Recovery App AndroidManifest.xml improper export of android application components",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.320420"
},
{
"name": "VDB-320420 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320420"
},
{
"name": "Submit #627902 | elseplus lib File Recovery(com.elseplus.filerecovery) 4.4.21 Task Hijacking",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.627902"
},
{
"tags": [
"related"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.elseplus.filerecovery.md"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/KMov-g/androidapps/blob/main/com.elseplus.filerecovery.md#steps-to-reproduce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-17T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-17T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-17T15:19:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "Elseplus File Recovery App AndroidManifest.xml improper export of android application components"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9098",
"datePublished": "2025-08-18T00:32:05.703Z",
"dateReserved": "2025-08-17T13:14:40.124Z",
"dateUpdated": "2025-08-18T16:48:46.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Build and Compilation
Strategy: Attack Surface Reduction
Description:
- If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Mitigation
Phase: Build and Compilation
Strategy: Attack Surface Reduction
Description:
- If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Mitigation
Phases: Build and Compilation, Architecture and Design
Strategy: Attack Surface Reduction
Description:
- Limit Content Provider permissions (read/write) as appropriate.
Mitigation
Phases: Build and Compilation, Architecture and Design
Strategy: Separation of Privilege
Description:
- Limit Content Provider permissions (read/write) as appropriate.
No CAPEC attack patterns related to this CWE.