CVE-2023-42135

Name of the Vulnerable Software and Affected Versions PAX A920Pro/A50 devices with PayDroid versions 8.1.0 Sagittarius V11.1.50 20230614 or earlier

Description The issue exists due to insufficient input validation in the PayDroid operating system, allowing an attacker to execute arbitrary code via parameter injection by bypassing the input validation when flashing a specific partition. The attacker must have physical USB access to the device in order to exploit this issue.

Recommendations For PAX A920Pro/A50 devices with PayDroid versions 8.1.0 Sagittarius V11.1.50 20230614 or earlier, consider restricting physical USB access to the device to minimize the risk of exploitation. As a temporary workaround, avoid flashing specific partitions until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.