CVE-2020-36128

Name of the Vulnerable Software and Affected Versions: Pax Technology PAXSTORE versions 7.0.8 20200511171508 and lower

Description: The issue allows an attacker to intercept HTTPS traffic from the application store, collect the request responsible for assigning the X-Terminal-Token to the terminal, and craft an X-Terminal-Token pretending to be another device. This enables the attacker to authenticate its own payment terminal in the application store through token impersonation. Each payment terminal has a session token, called X-Terminal-Token, to access the marketplace, which allows the store to identify the terminal and make available the applications distributed by its reseller.

Recommendations: For versions 7.0.8 20200511171508 and lower, consider disabling the use of the X-Terminal-Token until a patch is available to prevent token impersonation. Restrict access to the application store to minimize the risk of exploitation. Avoid using the X-Terminal-Token for authentication until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.