CVE-2020-28044

MEDIUM

ProlinOS <= 2.4.161.8859r - Unauthenticated Arbitrary File Manipulation via Management Mode

Title source: llm
STIX 2.1

Description

An attacker with physical access to a PAX Point Of Sale device with ProlinOS through 2.4.161.8859R can boot it in management mode, enable the XCB service, and then list, read, create, and overwrite files with MAINAPP permissions.

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://git.lsd.cat/g/pax-pwn

Scores

CVSS v3 6.8
EPSS 0.0034
EPSS Percentile 25.4%
Attack Vector PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-276
Status published
Products (1)
pax/prolinos < 2.4.161.8859r
Published Nov 02, 2020
Tracked Since Feb 18, 2026