Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
References
Link | Resource |
---|---|
https://blog.pridesec.com.br/p/4c972078-5f01-419e-8bea-cf31ff2e3670/ | Exploit Third Party Advisory |
https://marketing.paxtechnology.com/about-pax | Product |
https://www.whatspos.com/ | Product |
Configurations
History
13 May 2021, 16:00
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:paxtechnology:paxstore:*:*:*:*:*:*:*:* | |
CWE | CWE-611 | |
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 6.5 |
References | (MISC) https://marketing.paxtechnology.com/about-pax - Product | |
References | (MISC) https://blog.pridesec.com.br/p/4c972078-5f01-419e-8bea-cf31ff2e3670/ - Exploit, Third Party Advisory | |
References | (MISC) https://www.whatspos.com/ - Product |
07 May 2021, 18:30
Type | Values Removed | Values Added |
---|
07 May 2021, 11:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-05-07 11:15
Updated : 2023-12-10 13:55
NVD link : CVE-2020-36124
Mitre link : CVE-2020-36124
CVE.ORG link : CVE-2020-36124
JSON object : View
Products Affected
paxtechnology
- paxstore
CWE
CWE-611
Improper Restriction of XML External Entity Reference