CWE-926
AllowedImproper Export of Android Application Components
Abstraction: Variant · Status: Incomplete
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
147 vulnerabilities reference this CWE, most recent first.
GHSA-QFVP-CGP6-7939
Vulnerability from github – Published: 2025-07-28 06:30 – Updated: 2025-07-28 06:30A vulnerability, which was classified as problematic, has been found in Cool Mo Maigcal Number App up to 1.0.3 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.sdmagic.number. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-8258"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-28T05:16:20Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, has been found in Cool Mo Maigcal Number App up to 1.0.3 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.sdmagic.number. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-qfvp-cgp6-7939",
"modified": "2025-07-28T06:30:22Z",
"published": "2025-07-28T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8258"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.sdmagic.number.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317846"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317846"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.623472"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QMF8-Q45M-P8W5
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10721"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T18:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in Webull Investing \u0026 Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-qmf8-q45m-p8w5",
"modified": "2025-09-22T21:30:18Z",
"published": "2025-09-22T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10721"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/org.dayup.stocks.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/org.dayup.stocks.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325010"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325010"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.645014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QQJ3-X66M-G7HF
Vulnerability from github – Published: 2023-09-06 06:30 – Updated: 2024-04-04 07:30Improper export of android application components vulnerability in WifiApAutoHotspotEnablingActivity prior to SMR Sep-2023 Release 1 allows local attacker to change a Auto Hotspot setting.
{
"affected": [],
"aliases": [
"CVE-2023-30718"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-06T04:15:14Z",
"severity": "LOW"
},
"details": "Improper export of android application components vulnerability in WifiApAutoHotspotEnablingActivity prior to SMR Sep-2023 Release 1 allows local attacker to change a Auto Hotspot setting.",
"id": "GHSA-qqj3-x66m-g7hf",
"modified": "2024-04-04T07:30:58Z",
"published": "2023-09-06T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30718"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QWF2-JJG5-HCV2
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. This affects an unknown part of the component com.ooma.office2. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10718"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T16:15:42Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Ooma Office Business Phone App up to 7.2.2 on Android. This affects an unknown part of the component com.ooma.office2. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-qwf2-jjg5-hcv2",
"modified": "2025-09-22T21:30:17Z",
"published": "2025-09-22T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10718"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.ooma.office2.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325009"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325009"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.645012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-R956-2553-VVHR
Vulnerability from github – Published: 2024-04-07 09:30 – Updated: 2024-04-08 15:45A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function registerReceiver of the file android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@kyivstarteam/react-native-sms-user-consent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4438"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-08T15:45:37Z",
"nvd_published_at": "2024-04-07T09:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function `registerReceiver` of the file `android/src/main/java/ua/kyivstar/reactnativesmsuserconsent/SmsUserConsentModule.kt`. The manipulation leads to improper export of android application components. Attacking locally is a requirement. Upgrading to version 1.1.5 is able to address this issue. The name of the patch is 5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-259508.",
"id": "GHSA-r956-2553-vvhr",
"modified": "2024-04-08T15:45:37Z",
"published": "2024-04-07T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4438"
},
{
"type": "WEB",
"url": "https://github.com/kyivstarteam/react-native-sms-user-consent/pull/4"
},
{
"type": "WEB",
"url": "https://github.com/kyivstarteam/react-native-sms-user-consent/commit/5423dcb0cd3e4d573b5520a71fa08aa279e4c3c7"
},
{
"type": "PACKAGE",
"url": "https://github.com/kyivstarteam/react-native-sms-user-consent"
},
{
"type": "WEB",
"url": "https://github.com/kyivstarteam/react-native-sms-user-consent/releases/tag/1.1.5"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.259508"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.259508"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "React Native Sms User Consent Intent Redirection Vulnerability"
}
GHSA-RMMP-8HV8-CR6P
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. This affects an unknown function of the file AndroidManifest.xml of the component com.dw.android.mukbee. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10722"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T18:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability was detected in SKTLab Mukbee App 1.01.196 on Android. This affects an unknown function of the file AndroidManifest.xml of the component com.dw.android.mukbee. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-rmmp-8hv8-cr6p",
"modified": "2025-09-22T21:30:18Z",
"published": "2025-09-22T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10722"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.dw.android.mukbee.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.dw.android.mukbee.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325015"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325015"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.645019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V38F-6CHF-2VHR
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55The vulnerability is that the Messaging ("com.android.mms") app patched by LG forwards attacker-controlled intents back to the attacker in the exported "com.android.mms.ui.QClipIntentReceiverActivity" activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the "com.lge.message.action.QCLIP" action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the "onActivityResult()" method, they would have access to arbitrary content providers that have the android:grantUriPermissions="true" flag set.
{
"affected": [],
"aliases": [
"CVE-2023-44129"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:37Z",
"severity": "LOW"
},
"details": "The vulnerability is that the Messaging (\"com.android.mms\") app patched by LG forwards attacker-controlled intents back to the attacker in the exported \"com.android.mms.ui.QClipIntentReceiverActivity\" activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the \"com.lge.message.action.QCLIP\" action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the \"onActivityResult()\" method, they would have access to arbitrary content providers that have the `android:grantUriPermissions=\"true\"` flag set.",
"id": "GHSA-v38f-6chf-2vhr",
"modified": "2024-04-04T07:55:27Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44129"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/mobile#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VF6X-MC82-5237
Vulnerability from github – Published: 2025-08-29 21:32 – Updated: 2025-08-29 21:32A security flaw has been discovered in Modo Legend of the Phoenix up to 1.0.5. The affected element is an unknown function of the file AndroidManifest.xml of the component com.duige.hzw.multilingual. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-9677"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-29T21:15:38Z",
"severity": "MODERATE"
},
"details": "A security flaw has been discovered in Modo Legend of the Phoenix up to 1.0.5. The affected element is an unknown function of the file AndroidManifest.xml of the component com.duige.hzw.multilingual. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vf6x-mc82-5237",
"modified": "2025-08-29T21:32:03Z",
"published": "2025-08-29T21:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9677"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.duige.hzw.multilingual.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.duige.hzw.multilingual.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.321889"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.321889"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.638078"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VGW9-VJ3P-W74H
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31A flaw has been found in ZhenShi Mibro Fit App 1.6.3.17499 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.xiaoxun.xunoversea.mibrofit. This manipulation causes improper export of android application components. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-5500"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:16:15Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in ZhenShi Mibro Fit App 1.6.3.17499 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.xiaoxun.xunoversea.mibrofit. This manipulation causes improper export of android application components. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vgw9-vj3p-w74h",
"modified": "2025-09-09T18:31:25Z",
"published": "2025-09-09T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5500"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.xiaoxun.xunoversea.mibrofit.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.xiaoxun.xunoversea.mibrofit.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.323234"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.323234"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.637921"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VJ32-5645-8HM6
Vulnerability from github – Published: 2025-07-20 15:30 – Updated: 2025-07-20 15:30A vulnerability was found in Dunamu StockPlus App up to 7.62.10 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.dunamu.stockplus. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-7890"
],
"database_specific": {
"cwe_ids": [
"CWE-926"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-20T13:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Dunamu StockPlus App up to 7.62.10 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.dunamu.stockplus. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-vj32-5645-8hm6",
"modified": "2025-07-20T15:30:27Z",
"published": "2025-07-20T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7890"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.dunamu.stockplus.md"
},
{
"type": "WEB",
"url": "https://github.com/KMov-g/androidapps/blob/main/com.dunamu.stockplus.md#steps-to-reproduce"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317005"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317005"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.615270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Strategy: Attack Surface Reduction
If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Mitigation
Strategy: Attack Surface Reduction
If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Mitigation
Strategy: Attack Surface Reduction
Limit Content Provider permissions (read/write) as appropriate.
Mitigation
Strategy: Separation of Privilege
Limit Content Provider permissions (read/write) as appropriate.
No CAPEC attack patterns related to this CWE.