CVE-2023-42137

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks.




The attacker must have shell access to the device in order to exploit this vulnerability.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CERT-PLCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://ppn.paxengine.com/release/development
https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://ppn.paxengine.com/release/development