CVEbaza.plSłownik CWECWE-926
Common Weakness Enumeration

CWE-926

Improper Export of Android Application Components

Kategoria: VariantCVE: 81
Opis

Aplikacja Android eksportuje komponent do użytku przez inne aplikacje, jednak nie ogranicza prawidłowo, które aplikacje mogą uruchomić komponent lub uzyskać dostęp do zawartych w nim danych. Brak odpowiednich zabezpieczeń może prowadzić do nieautoryzowanego dostępu do wrażliwych informacji lub funkcjonalności.

Description (EN)

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Podatności CVE z CWE-926 (81)
8.5
CVSS
HIGH
CVE-2025-5344

Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider "com.bluebird.kiosk.launcher.IpartnerKioskRemoteService". A local attacker can bind to the AIDL-type service to modify device's global settings and wallpaper image. This issue affects all versions before 1.1.2.

pub. 2025-07-17
8.3
CVSS
HIGH
CVE-2024-13917

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. Application update was released in April 2025.

pub. 2025-05-30
8.0
CVSS
HIGH
CVE-2025-68713

An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.

pub. 2026-06-15
7.8
CVSS
HIGH
CVE-2025-32347

In onStart of BiometricEnrollIntroduction.java, there is a possible way to determine the device's location due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

pub. 2025-09-04
7.8
CVSS
HIGH
CVE-2021-25400

Intent redirection vulnerability in Samsung Internet prior to version 14.0.1.20 allows attacker to execute privileged action.

pub. 2021-06-11
7.5
CVSS
HIGH
CVE-2025-15464

Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.

pub. 2026-01-08
7.1
CVSS
HIGH
CVE-2026-54318

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.5.3, the LocationSensorManager BroadcastReceiver is exported with no permission. Any installed app, with zero runtime permissions, can broadcast a forged Google Play Services LocationResult directly to it; the receiver trusts the extra and forwards it to the user's Home Assistant server as the device's real location. This bypasses Android's developer-mode "Mock Location" gate and allows a local malicious app to drive zone-based automations (unlock door / disarm alarm / open garage) by faking the user's GPS position. This vulnerability is fixed in 2026.5.3.

pub. 2026-06-23
7.1
CVSS
HIGH
CVE-2023-41960

The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive settings of the Android Client application itself.

pub. 2023-10-25
7.1
CVSS
HIGH
CVE-2021-25388

Improper caller check vulnerability in Knox Core prior to SMR MAY-2021 Release 1 allows attackers to install arbitrary app.

pub. 2021-06-11
6.9
CVSS
MEDIUM
CVE-2026-3291

Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities.

pub. 2026-05-06
6.9
CVSS
MEDIUM
CVE-2024-13915

Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process. The application "com.pri.factorytest" (version name: 1.0, version code: 1) exposes a ”com.pri.factorytest.emmc.FactoryResetService“ service allowing any application to perform a factory reset of the device.  Application update did not increment the APK version. Instead, it was bundled in OS builds released later than December 2024 (Ulefone) and April 2025 (Krüger&Matz).

pub. 2025-05-30
6.9
CVSS
MEDIUM
CVE-2024-13916

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. Application update was released in April 2025.

pub. 2025-05-30
6.8
CVSS
MEDIUM
CVE-2021-25397

An improper access control vulnerability in TelephonyUI prior to SMR MAY-2021 Release 1 allows local attackers to write arbitrary files of telephony process via untrusted applications.

pub. 2021-06-11
6.5
CVSS
MEDIUM
CVE-2025-27599

Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2.

pub. 2025-04-18
6.5
CVSS
MEDIUM
CVE-2024-36437

The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component.

pub. 2025-02-03
6.3
CVSS
MEDIUM
CVE-2025-5345

Bluebird devices contain a pre-loaded file manager application. This application exposes an unsecured service provider "com.bluebird.system.koreanpost.IsdcardRemoteService". A local attacker can bind to the AIDL-type service to copy and delete arbitrary files from device's storage with system-level permissions. Version 1.4.4 is vulnerable, vendor reverted vulnerable versions to older version: 1.3.6

pub. 2025-07-17
6.0
CVSS
MEDIUM
CVE-2026-12960

An Improper Export of Android Application Components vulnerability in ASUS Router App allows a third-party application on the same device to send a crafted Intent that causes ASUS Router App to open an specified URL. Refer to the ' Security Update for ASUS Router Android App ' section on the ASUS Security Advisory for more information.

pub. 2026-07-03
5.5
CVSS
MEDIUM
CVE-2026-44279

An improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to disclose information via an exported Content Provider URI.

pub. 2026-05-12
5.5
CVSS
MEDIUM
CVE-2025-20934

Improper access control in Sticker Center prior to SMR Apr-2025 Release 1 allows local attackers to access image files with system privilege.

pub. 2025-04-08
5.5
CVSS
MEDIUM
CVE-2023-20962

In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-256590210

pub. 2023-03-24
Pokazano 20 z 81 podatności
Informacje
ID: CWE-926
Typ: Variant
Podatności: 81
MITRE CWE ↗
← Słownik CWE
CWE-926 — Niewłaściwy eksport komponentów aplikacji Android | Słownik CWE | CVEbaza.pl