PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition.
The attacker must have physical USB access to the device in order to exploit this vulnerability.
References
Link | Resource |
---|---|
https://blog.stmcyber.com/pax-pos-cves-2023/ | Exploit Third Party Advisory |
https://cert.pl/en/posts/2024/01/CVE-2023-4818/ | Third Party Advisory |
https://cert.pl/posts/2024/01/CVE-2023-4818/ | Third Party Advisory |
https://ppn.paxengine.com/release/development | Permissions Required |
Configurations
History
10 Oct 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
19 Jan 2024, 15:47
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-15 14:15
Updated : 2024-10-10 16:15
NVD link : CVE-2023-42135
Mitre link : CVE-2023-42135
CVE.ORG link : CVE-2023-42135
JSON object : View
Products Affected
paxtechnology
- paydroid
- a50
- a920_pro
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')