Skip to main content

bsc Peru Cocktails App CVE-2025-8275

LOW
Improper Export of Android Application Components (CWE-926)
2025-07-28 cna@vuldb.com
1.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.9 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:17 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as problematic, has been found in bsc Peru Cocktails App 1.0.0 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component bsc.devy.peru_cocktails. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

AnalysisAI

Improper export of Android application components in bsc Peru Cocktails App 1.0.0 allows local authenticated attackers to access unexported activities, services, or broadcast receivers defined in AndroidManifest.xml, leading to information disclosure. The vulnerability has been publicly disclosed with exploit code available, though real-world risk is minimal given the low CVSS score (1.9) and EPSS exploitation probability (0.02%), indicating this affects only authenticated users with local device access and results in limited confidentiality impact.

Technical ContextAI

Android applications declare components (activities, services, broadcast receivers, content providers) in AndroidManifest.xml with an 'exported' attribute that defaults to false in Android 12+. CWE-926 (Implicit Trust of Untrusted Sources) in this context refers to the implicit assumption that unexported components remain inaccessible. When components are not properly marked as unexported or when the manifest is misconfigured, other applications or local processes running on the same device can invoke these components via explicit intents, bypassing intended access controls. The bsc.devy.peru_cocktails component in this app fails to properly restrict component exposure, allowing privileged local access to sensitive functionality.

Affected ProductsAI

bsc Peru Cocktails App version 1.0.0 on Android (component identifier: bsc.devy.peru_cocktails). The vulnerability is specific to the AndroidManifest.xml configuration in this application version. No other versions or products are identified as affected.

RemediationAI

Update to a patched version if available from the developer, or manually remediate by editing AndroidManifest.xml to explicitly set android:exported="false" on all activity, service, broadcast receiver, and content provider components that should not be accessible to other applications. For Android 12+, Google enforces this requirement, but older targets may default to exported="true". Add appropriate intent-filter restrictions and use permission-based access control if inter-app communication is necessary. Verify the remediation by using Android's package manager (adb shell dumpsys package bsc.devy.peru_cocktails) to confirm no unintended components are exported. No vendor advisory URL is available; users should contact the app developer directly or check the GitHub repository listed in references for updates.

Share

CVE-2025-8275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy