CVE-2022-26582

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-26582
PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c Third Party Advisory
https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md
https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*
cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*
History

23 Apr 2024, 14:15

Type Values Removed Values Added
Summary
  • (es) El dispositivo PAX A930 con PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 puede permitir a un atacante obtener acceso de root mediante la inyección de comandos en el cliente systool. El atacante debe tener acceso de shell al dispositivo para poder aprovechar esta vulnerabilidad.
References
  • () https://wr3nchsr.github.io/pax-paydroid-vulnerabilities-advisory-2022/ -

12 Apr 2023, 14:15

Type Values Removed Values Added
Summary The systool_server in PAX Technology A930 PayDroid 7.1.1 Virgo V04.4.02 20211201 fails to check for dollar signs or backticks in user supplied commands, leading to to arbitrary command execution as root. PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.

01 Mar 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) https://github.com/wr3nchsr/PAX-Paydroid-Advisories/blob/master/advisories/2022/CVEs/CVE-2022-26582.md -

22 Dec 2022, 16:28

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
References (MISC) https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - (MISC) https://cyshield.com/e077d6c3-adff-49a1-afc3-71e10140f95c - Third Party Advisory
First Time Paxtechnology
Paxtechnology paydroid
Paxtechnology a930
CWE CWE-78
CWE-20
CPE cpe:2.3:h:paxtechnology:a930:-:*:*:*:*:*:*:*
cpe:2.3:o:paxtechnology:paydroid:7.1.1_virgo_v04.3.26t1_20210419:*:*:*:*:*:*:*

16 Dec 2022, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-12-16 22:15

Updated : 2024-04-23 14:15

NVD link : CVE-2022-26582

Mitre link : CVE-2022-26582

CVE.ORG link : CVE-2022-26582

JSON object : View

Products Affected

paxtechnology

  • paydroid
  • a930
CWE
CWE-20

Improper Input Validation

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')