Skip to main content

CWE-925

Improper Verification of Intent by Broadcast Receiver

3 CVEs Avg CVSS 6.7 MITRE
1
CRITICAL
0
HIGH
2
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-33173 Ruby MEDIUM PATCH This Month

Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-10576 CRITICAL Act Now

Infinix devices contain a pre-loaded "com.transsion.agingfunction" application, that exposes an unsecured broadcast receiver. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google
NVD
CVSS 4.0
9.4
EPSS
0.2%
CVE-2023-44126 MEDIUM This Month

The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Android
NVD
CVSS 3.1
5.5
EPSS
0.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Rails Active Storage's DirectUploadsController accepts and persists arbitrary client-supplied metadata on blob objects, allowing attackers to manipulate internal flags like 'identified' and 'analyzed' that should only be set by the server. This affects Ruby on Rails versions across multiple release branches (7.2.x, 8.0.x, and 8.1.x prior to the patched versions 7.2.3.1, 8.0.4.1, and 8.1.2.1), and while not currently listed in the KEV catalog, patches are available from the vendor indicating acknowledgment of the issue's validity.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Infinix devices contain a pre-loaded "com.transsion.agingfunction" application, that exposes an unsecured broadcast receiver. Rated critical severity (CVSS 9.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Google Android
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy