Race Condition Vulnerability in PAX A920 Pro Payment Device by PAX Technology
CVE-2023-26980

7HIGH

Key Information:

Vendor: Pax
Status: Paydroid
Vendor: CVE Published:; 14 April 2023

What is CVE-2023-26980?

The PAX A920 Pro payment device is susceptible to a Race Condition vulnerability that can potentially allow an attack to bypass the standard payment software, initiating the boot sequence directly into the Android operating system. Despite vendor assertions that the practical exploitation of this vulnerability is unlikely, as the home launcher would typically intercept before user applications are engaged, the risk remains a topic of concern in ensuring robust security protocols for payment systems.

References

https://drive.google.com/drive/u/0/folders/14X-XTYhkiaIVB...

https://uploads.strikinglycdn.com/files/f1d54bf4-3803-480...

https://docs.google.com/document/d/189b1494s8RF8ksaOijKhK...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2023
Vulnerability Reserved
Feb 27, 2023

Pax

What is CVE-2023-26980?

References

CVSS V3.1

Timeline