CVE-2023-4818

PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used.  The attacker must have physical USB access to the device in order to exploit this vulnerability.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:h:paxtechnology:a920:-:*:*:*:*:*:*:*
cpe:2.3:o:paxtechnology:paydroid:7.1.2_aquarius_11.1.50_20230614:*:*:*:*:*:*:*

History

10 Oct 2024, 16:15

Type Values Removed Values Added
CWE CWE-20
Summary (en) PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used.  The attacker must have physical USB access to the device in order to exploit this vulnerability. (en) PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used.  The attacker must have physical USB access to the device in order to exploit this vulnerability.

19 Jan 2024, 16:35

Type Values Removed Values Added
CPE cpe:2.3:o:paxtechnology:paydroid:7.1.2_aquarius_11.1.50_20230614:*:*:*:*:*:*:*
cpe:2.3:h:paxtechnology:a920:-:*:*:*:*:*:*:*
First Time Paxtechnology paydroid
Paxtechnology
Paxtechnology a920
CWE CWE-74
References () https://ppn.paxengine.com/release/development - () https://ppn.paxengine.com/release/development - Permissions Required
References () https://blog.stmcyber.com/pax-pos-cves-2023/ - () https://blog.stmcyber.com/pax-pos-cves-2023/ - Exploit, Third Party Advisory
References () https://cert.pl/en/posts/2024/01/CVE-2023-4818/ - () https://cert.pl/en/posts/2024/01/CVE-2023-4818/ - Third Party Advisory
References () https://cert.pl/posts/2024/01/CVE-2023-4818/ - () https://cert.pl/posts/2024/01/CVE-2023-4818/ - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.6

15 Jan 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-15 14:15

Updated : 2024-10-10 16:15


NVD link : CVE-2023-4818

Mitre link : CVE-2023-4818

CVE.ORG link : CVE-2023-4818


JSON object : View

Products Affected

paxtechnology

  • paydroid
  • a920
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')