CVE-2020-36126

Name of the Vulnerable Software and Affected Versions: Pax Technology PAXSTORE versions 7.0.8 20200511171508 and lower

Description: The issue is related to incorrect access control, which can lead to remote privilege escalation. Specifically, PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including data from third-party users, applications, and payment terminals. This can enable an attacker to impersonate any user, potentially resulting in the unauthorized disclosure, modification, or destruction of information.

Recommendations: For versions 7.0.8 20200511171508 and lower, consider restricting access to the PAXSTORE marketplace endpoints to prevent unauthorized data modification until a fix is available. As a temporary workaround, limit the privileges of authenticated users to only allow them to access and modify their own data.