CVE-2023-42134

Published: Jan 15, 2024Modified: Nov 21, 2024

6.8

Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.9 / Impact: 5.9

Source: NVD

Description

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Affected (1)

Products: Paxtechnology: Paydroid

1 product

Configuration A

1 platform

Running on/with	Platform Versions
Paxtechnology A920 Pro	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Paxtechnology Paydroid	Up to 8.1.0_sagittarius_v11.1.45_20230314

Running on/with	Platform Versions
Paxtechnology A50	All versions

Related CWEs

Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

References (8)

https://blog.stmcyber.com/pax-pos-cves-2023/

Source: cvd@cert.pl

ExploitThird Party Advisory

https://cert.pl/en/posts/2024/01/CVE-2023-4818/

Source: cvd@cert.pl

Third Party Advisory

https://cert.pl/posts/2024/01/CVE-2023-4818/

Source: cvd@cert.pl

Third Party Advisory

https://ppn.paxengine.com/release/development

Source: cvd@cert.pl

Permissions Required

https://blog.stmcyber.com/pax-pos-cves-2023/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://cert.pl/en/posts/2024/01/CVE-2023-4818/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://cert.pl/posts/2024/01/CVE-2023-4818/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://ppn.paxengine.com/release/development

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

Timeline

No history available yet.