Vulnerability Description
PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks. The attacker must have shell access to the device in order to exploit this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Paxtechnology | Paydroid | <= 8.1.0_sagittarius_11.1.50_20230614 |
| Paxtechnology | A50 | - |
| Paxtechnology | A6650 | - |
| Paxtechnology | A800 | - |
| Paxtechnology | A77 | - |
| Paxtechnology | A920 | - |
| Paxtechnology | A920 Pro | - |
| Paxtechnology | A920 Max | - |
| Paxtechnology | D190 | - |
Related Weaknesses (CWE)
References
- https://blog.stmcyber.com/pax-pos-cves-2023/ExploitThird Party Advisory
- https://cert.pl/en/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://cert.pl/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://ppn.paxengine.com/release/developmentPermissions Required
- https://blog.stmcyber.com/pax-pos-cves-2023/ExploitThird Party Advisory
- https://cert.pl/en/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://cert.pl/posts/2024/01/CVE-2023-4818/Third Party Advisory
- https://ppn.paxengine.com/release/developmentPermissions Required
FAQ
What is CVE-2023-42137?
CVE-2023-42137 is a vulnerability with a CVSS score of 7.8 (HIGH). PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks. The attacker must have ...
How severe is CVE-2023-42137?
CVE-2023-42137 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-42137?
Check the references section above for vendor advisories and patch information. Affected products include: Paxtechnology Paydroid, Paxtechnology A50, Paxtechnology A6650, Paxtechnology A800, Paxtechnology A77.