CVE-2023-4818

CVSS v3.1

7.6

High

Vector

AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PAX A920 device (affected versions not specified)

Description The issue is related to a bug in the version check of the PAX A920 device's bootloader, allowing it to be downgraded. The device correctly checks the signature and only allows bootloaders signed by PAX to be used. To exploit this, an attacker must have physical USB access to the device. Additionally, there is a mention of an operating system vulnerability, PayDroid, due to insufficient input validation, which could allow an attacker to execute arbitrary code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Hidden Functionality

Special Elements Injection

Link Following

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-912CWE-74CWE-59CWE-20

Related Identifiers

BDU:2024-01108

BDU:2024-01109

BDU:2024-01110

BDU:2024-01111

BDU:2024-01112

CVE-2023-4818

Affected Products

Pax A920

CVE-2023-4818

Weakness Enumeration

Related Identifiers

Affected Products

References · 18