Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for POS terminals by PAX
CVE-2023-42133 (GCVE-0-2023-42133)
Vulnerability from nvd – Published: 2024-10-11 12:01 – Updated: 2024-10-11 14:42
VLAI
Summary
PAX Android based POS devices allow for escalation of privilege via improperly configured scripts.
An attacker must have shell access with system account privileges in order to exploit this vulnerability.
A patch addressing this issue was included in firmware version PayDroid_8.1.0_Sagittarius_V11.1.61_20240226.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://ppn.paxengine.com/release/development? | vendor-advisory |
| https://blog.stmcyber.com/pax-pos-cves-2023/ | technical-description |
| https://cert.pl/en/posts/2024/10/CVE-2023-42133 | third-party-advisory |
| https://cert.pl/posts/2024/10/CVE-2023-42133 | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PAX | POS terminals |
Affected:
0 , < 11.1.61_20240226
(custom)
|
|
| paxtechnology | paydroid |
Affected:
0 , < 11.1.61_20240226
(custom)
cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:* |
Date Public
2024-10-11 10:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paydroid",
"vendor": "paxtechnology",
"versions": [
{
"lessThan": "11.1.61_20240226",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T14:36:06.943195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:42:04.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "POS terminals",
"vendor": "PAX",
"versions": [
{
"lessThan": "11.1.61_20240226",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-10-11T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ePAX Android based POS devices allow for escalation of privilege via improperly configured scripts.\u003c/div\u003eAn attacker must have shell access with system account privileges in order to exploit this vulnerability.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA patch addressing this issue was included in firmware version \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePayDroid_8.1.0_Sagittarius_V11.1.61_20240226. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "PAX Android based POS devices allow for escalation of privilege via improperly configured scripts.\n\nAn attacker must have shell access with system account privileges in order to exploit this vulnerability.\nA patch addressing this issue was included in firmware version PayDroid_8.1.0_Sagittarius_V11.1.61_20240226."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T12:01:13.299Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ppn.paxengine.com/release/development?"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.stmcyber.com/pax-pos-cves-2023/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/10/CVE-2023-42133"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/10/CVE-2023-42133"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-42133",
"datePublished": "2024-10-11T12:01:13.299Z",
"dateReserved": "2023-09-07T13:17:57.371Z",
"dateUpdated": "2024-10-11T14:42:04.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42133 (GCVE-0-2023-42133)
Vulnerability from cvelistv5 – Published: 2024-10-11 12:01 – Updated: 2024-10-11 14:42
VLAI
Summary
PAX Android based POS devices allow for escalation of privilege via improperly configured scripts.
An attacker must have shell access with system account privileges in order to exploit this vulnerability.
A patch addressing this issue was included in firmware version PayDroid_8.1.0_Sagittarius_V11.1.61_20240226.
Severity
6.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://ppn.paxengine.com/release/development? | vendor-advisory |
| https://blog.stmcyber.com/pax-pos-cves-2023/ | technical-description |
| https://cert.pl/en/posts/2024/10/CVE-2023-42133 | third-party-advisory |
| https://cert.pl/posts/2024/10/CVE-2023-42133 | third-party-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| PAX | POS terminals |
Affected:
0 , < 11.1.61_20240226
(custom)
|
|
| paxtechnology | paydroid |
Affected:
0 , < 11.1.61_20240226
(custom)
cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:* |
Date Public
2024-10-11 10:00
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "paydroid",
"vendor": "paxtechnology",
"versions": [
{
"lessThan": "11.1.61_20240226",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42133",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T14:36:06.943195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T14:42:04.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android"
],
"product": "POS terminals",
"vendor": "PAX",
"versions": [
{
"lessThan": "11.1.61_20240226",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-10-11T10:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ePAX Android based POS devices allow for escalation of privilege via improperly configured scripts.\u003c/div\u003eAn attacker must have shell access with system account privileges in order to exploit this vulnerability.\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA patch addressing this issue was included in firmware version \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePayDroid_8.1.0_Sagittarius_V11.1.61_20240226. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "PAX Android based POS devices allow for escalation of privilege via improperly configured scripts.\n\nAn attacker must have shell access with system account privileges in order to exploit this vulnerability.\nA patch addressing this issue was included in firmware version PayDroid_8.1.0_Sagittarius_V11.1.61_20240226."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T12:01:13.299Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://ppn.paxengine.com/release/development?"
},
{
"tags": [
"technical-description"
],
"url": "https://blog.stmcyber.com/pax-pos-cves-2023/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2024/10/CVE-2023-42133"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2024/10/CVE-2023-42133"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2023-42133",
"datePublished": "2024-10-11T12:01:13.299Z",
"dateReserved": "2023-09-07T13:17:57.371Z",
"dateUpdated": "2024-10-11T14:42:04.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}