bsc Peru Cocktails App CVE-2025-8275
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, has been found in bsc Peru Cocktails App 1.0.0 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component bsc.devy.peru_cocktails. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.
AnalysisAI
Improper export of Android application components in bsc Peru Cocktails App 1.0.0 allows local authenticated attackers to access unexported activities, services, or broadcast receivers defined in AndroidManifest.xml, leading to information disclosure. The vulnerability has been publicly disclosed with exploit code available, though real-world risk is minimal given the low CVSS score (1.9) and EPSS exploitation probability (0.02%), indicating this affects only authenticated users with local device access and results in limited confidentiality impact.
Technical ContextAI
Android applications declare components (activities, services, broadcast receivers, content providers) in AndroidManifest.xml with an 'exported' attribute that defaults to false in Android 12+. CWE-926 (Implicit Trust of Untrusted Sources) in this context refers to the implicit assumption that unexported components remain inaccessible. When components are not properly marked as unexported or when the manifest is misconfigured, other applications or local processes running on the same device can invoke these components via explicit intents, bypassing intended access controls. The bsc.devy.peru_cocktails component in this app fails to properly restrict component exposure, allowing privileged local access to sensitive functionality.
Affected ProductsAI
bsc Peru Cocktails App version 1.0.0 on Android (component identifier: bsc.devy.peru_cocktails). The vulnerability is specific to the AndroidManifest.xml configuration in this application version. No other versions or products are identified as affected.
RemediationAI
Update to a patched version if available from the developer, or manually remediate by editing AndroidManifest.xml to explicitly set android:exported="false" on all activity, service, broadcast receiver, and content provider components that should not be accessible to other applications. For Android 12+, Google enforces this requirement, but older targets may default to exported="true". Add appropriate intent-filter restrictions and use permission-based access control if inter-app communication is necessary. Verify the remediation by using Android's package manager (adb shell dumpsys package bsc.devy.peru_cocktails) to confirm no unintended components are exported. No vendor advisory URL is available; users should contact the app developer directly or check the GitHub repository listed in references for updates.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today