CVE-2023-42137

EUVD-2023-46596
PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks.




The attacker must have shell access to the device in order to exploit this vulnerability.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CERT-PLCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
paxtechnologypaydroid
𝑥
≤ 8.1.0_sagittarius_11.1.50_20230614
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://ppn.paxengine.com/release/development
https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://ppn.paxengine.com/release/development