Lucene search

[email protected]NVD:CVE-2023-42135

HistoryJan 15, 2024 - 2:15 p.m.

CVE-2023-42135

2024-01-1514:15:24

CWE-74

CWE-20

[email protected]

web.nvd.nist.gov

pax devices

paydroid

local code execution

parameter injection

input validation

usb access

vulnerability

6.8 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.3%

JSON

PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition.

The attacker must have physical USB access to the device in order to exploit this vulnerability.

Affected configurations

NVD

Node

paxtechnologya920_proMatch-

AND

paxtechnologypaydroidRange≤8.1.0_sagittarius_11.1.50_20230614

Node

paxtechnologya50Match-

AND

paxtechnologypaydroidRange≤8.1.0_sagittarius_11.1.50_20230614

References

blog.stmcyber.com/pax-pos-cves-2023/

cert.pl/en/posts/2024/01/CVE-2023-4818/

cert.pl/posts/2024/01/CVE-2023-4818/

ppn.paxengine.com/release/development

6.8 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.3%

JSON

Related for NVD:CVE-2023-42135

prion1 cve1 cvelist1 thn1