Vulnerability Description
PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command. The attacker must have physical USB access to the device in order to exploit this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Paxtechnology | Paydroid | <= 8.1.0_sagittarius_v11.1.45_20230314 |
| Paxtechnology | A920 Pro | - |
| Paxtechnology | A50 | - |
Related Weaknesses (CWE)
References
- https://blog.stmcyber.com/pax-pos-cves-2023/ExploitThird Party Advisory
- https://cert.pl/en/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://cert.pl/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://ppn.paxengine.com/release/developmentPermissions Required
- https://blog.stmcyber.com/pax-pos-cves-2023/ExploitThird Party Advisory
- https://cert.pl/en/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://cert.pl/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://ppn.paxengine.com/release/developmentPermissions Required
FAQ
What is CVE-2023-42134?
CVE-2023-42134 is a vulnerability with a CVSS score of 6.8 (MEDIUM). PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command. The a...
How severe is CVE-2023-42134?
CVE-2023-42134 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-42134?
Check the references section above for vendor advisories and patch information. Affected products include: Paxtechnology Paydroid, Paxtechnology A920 Pro, Paxtechnology A50.