CVE-2023-42135

Summary

PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition.

The attacker must have physical USB access to the device in order to exploit this vulnerability.

Affected Software

VendorProductVersion RangeStatus
PAX TechnologyA920 Pro0 <= 11.1.50_20230614affected
PAX TechnologyA500 <= 11.1.50_20230614affected

Weaknesses

  • CWE-74: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References