Shell Injection Vulnerability in PAX Android POS Devices
CVE-2023-42136

7.8HIGH

Key Information:

Vendor

Pax Technology

Status
Pos Terminals
Vendor
CVE Published:
15 January 2024

What is CVE-2023-42136?

An identified vulnerability within PAX Android-based Point of Sale (POS) devices enables an attacker with shell access to conduct shell injection, allowing arbitrary command execution with system account privileges. This security flaw is present in the PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 and earlier versions. Exploitation necessitates that the malicious actor has prior shell access to the device, making it critical for users to maintain robust access controls and regularly update their systems to mitigate risks.

Affected Version(s)

POS terminals Android 0 <= 11.1.50_20230614

References

https://ppn.paxengine.com/release/development
vendor-advisory
https://blog.stmcyber.com/pax-pos-cves-2023/
technical-description
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
third-party-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hubert Jasudowicz, Adam KliĹ› and other members of STM Cyber R&D team
.
CVE-2023-42136 : Shell Injection Vulnerability in PAX Android POS Devices