CVE-2022-26582

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c	Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c	Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:54

Type	Values Removed	Values Added
References	~~() https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory~~	() https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory
References	~~() https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md -~~	() https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md -
References	~~() https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -~~	() https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -

23 Apr 2024, 14:15

Type	Values Removed	Values Added
References		() https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -

Information

Published : 2022-12-16 22:15

Updated : 2024-11-21 06:54

NVD link : CVE-2022-26582

Mitre link : CVE-2022-26582

CVE.ORG link : CVE-2022-26582

JSON object : View

Products Affected

paxtechnology

a930
paydroid

CWE

CWE-20

Improper Input Validation

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2022-26582", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2022-12-16T22:15:08.973", "references": [{"url": "https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md", "source": "cve@mitre.org"}, {"url": "https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/", "source": "cve@mitre.org"}, {"url": "https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability."}, {"lang": "es", "value": "El dispositivo PAX A930 con PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 puede permitir a un atacante obtener acceso de root mediante la inyecci\u00f3n de comandos en el cliente systool. El atacante debe tener acceso de shell al dispositivo para poder aprovechar esta vulnerabilidad."}], "lastModified": "2024-11-21T06:54:09.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAC5D8D6-7815-4C59-92A0-1576AB8CCE4A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DB9FB279-F679-4E82-9FA8-56EA001A488C"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}