CVE-2022-26580

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-26580
PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability.

6.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26580.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*
cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*
History

23 Apr 2024, 14:15

Type Values Removed Values Added
Summary
  • (es) El dispositivo PAX A930 con PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 puede permitir la ejecución de inyecciones de comandos específicos en archivos binarios seleccionados en el servicio de shell del daemon ADB. El atacante debe tener acceso USB físico al dispositivo para poder aprovechar esta vulnerabilidad.
References
  • () https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -

01 Mar 2023, 00:15

Type Values Removed Values Added
Summary PAX Technology A930 PayDroid 7.1.1 Virgo V04.4.02 20211201 was discovered to be vulnerable to command injection. PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability.
References
  • (MISC) https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26580.md -

22 Dec 2022, 16:18

Type Values Removed Values Added
First Time Paxtechnology
Paxtechnology paydroid
Paxtechnology a930
CPE cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*
cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*
References (MISC) https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - (MISC) https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.8
CWE CWE-78

16 Dec 2022, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-16 22:15

Updated : 2024-04-23 14:15

NVD link : CVE-2022-26580

Mitre link : CVE-2022-26580

CVE.ORG link : CVE-2022-26580

JSON object : View

Products Affected

paxtechnology

  • a930
  • paydroid
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')