CVE-2023-42136

Name of the Vulnerable Software and Affected Versions PAX Android based POS devices with PayDroid versions 8.1.0 Sagittarius V11.1.50 20230614 or earlier

Description The issue exists due to insufficient input validation in the PayDroid operating system, allowing an attacker to execute arbitrary commands with system account privilege by shell injection, starting with a specific word. The attacker must have shell access to the device to exploit this issue.

Recommendations For PAX Android based POS devices with PayDroid versions 8.1.0 Sagittarius V11.1.50 20230614 or earlier, consider restricting shell access to the device to minimize the risk of exploitation. As a temporary workaround, limit the use of shell injection to prevent the execution of arbitrary commands until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.