Foresight News App
CVE-2025-7893
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic was found in Foresight News App up to 2.6.4 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml of the component pro.foresightnews.appa. The manipulation leads to improper export of android application components. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Foresight News App for Android versions up to 2.6.4 improperly exports application components via AndroidManifest.xml, allowing local attackers with limited privileges to access sensitive information. The CVSS 1.9 score reflects low actual impact (information disclosure only, no integrity or availability loss), though the vulnerability is publicly exploitable. EPSS percentile of 13% indicates minimal real-world exploitation likelihood despite public POC availability, suggesting this is a low-priority issue for most deployments.
Technical ContextAI
This vulnerability stems from improper Android component export configuration in AndroidManifest.xml (CWE-926: Improper Neutralization of Use-After-Free Weakness, though the root cause is actually insecure component export). Android applications declare activities, services, broadcast receivers, and content providers in AndroidManifest.xml; if exported without proper protection levels, other applications or local processes can invoke these components and potentially access data. The affected product (cpe:2.3:a:foresightnews:foresight_news:*:*:*:*:*:android:*:*) has exposed one or more components that should have been restricted, allowing unauthorized inter-process communication.
RemediationAI
No vendor-released patch is available at time of analysis, as the vendor did not respond to disclosure. Users should immediately upgrade to any version newer than 2.6.4 if available, or uninstall the app if no update is offered. Compensating controls include: (1) restrict Foresight News installation to trusted, isolated user accounts on shared devices to limit privilege escalation paths; (2) enable Android's restricted profiles or user accounts if available on the device OS version, isolating the app's access to sensitive system data; (3) monitor logcat for unauthorized component invocations if device is rooted or under your control; (4) consider blocking inter-process communication via SELinux or other system-level enforcement if your device supports it (significant technical complexity and may break app functionality). For enterprise deployments, use mobile device management (MDM) to restrict app permissions and disable component export via manifest patching before deployment. None of these controls fully eliminate the vulnerability - only vendor patching provides a complete fix.
Share
External POC / Exploit Code
Leaving vuln.today