Lucene search

CERT-PLCVELIST:CVE-2023-42137

HistoryJan 15, 2024 - 1:28 p.m.

CVE-2023-42137

2024-01-1513:28:59

CWE-20

CERT-PL

www.cve.org

cve-2023-42137

paydroid 8.1.0 sagittarius

symlinks

high privileges

shell access

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks.

The attacker must have shell access to the device in order to exploit this vulnerability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android"
    ],
    "product": "POS terminals",
    "vendor": "PAX Technology",
    "versions": [
      {
        "lessThanOrEqual": "11.1.50_20230614",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

blog.stmcyber.com/pax-pos-cves-2023/

cert.pl/en/posts/2024/01/CVE-2023-4818/

cert.pl/posts/2024/01/CVE-2023-4818/

ppn.paxengine.com/release/development

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

Related for CVELIST:CVE-2023-42137