ADVISORY!
TLP : CLEAR
Date : 19/03/2024
REF NO : CERT / 2024/03/21
PaperCut Multiple Vulnerabilities
Severity Level: Medium
Components Affected
- Versions prior to PaperCut NG/MF version 23.0.7
Overview
Multiple vulnerabilities were identified in PaperCut. A remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting, elevation of privilege, remote code execution, sensitive information disclosure and spoofing on the targeted system.
Description
PaperCut NG/MF is plagued by critical security flaws, including Server-Side Request Forgery (SSRF), Reflected Cross-Site Scripting (XSS), and Remote Code Execution (RCE). Attackers exploit SSRF to manipulate the server into making unauthorized HTTP requests. XSS vulnerabilities enable attackers to craft malicious URLs, compromising user confidentiality and system integrity. Authenticated admin users can abuse RCE to execute arbitrary code on the server, potentially causing severe damage. Additionally, unauthorized write operations and API authorization bypasses further escalate risks. Immediate remediation is imperative to safeguard PaperCut NG/MF systems from exploitation and mitigate the potential consequences of these vulnerabilities.
Impact
- Cross-Site Scripting
- Elevation of Privilege
- Remote Code Execution
- Information Disclosure
- Spoofing
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
- PaperCut NG/MF 23.0.7
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre
- Hotline : 101
- +94 11 269 1692
- Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
- General inquiry: cert@cert.gov.lk
- Security incidents: incidents@cert.gov.lk
- Social media incidents: report@cert.gov.lk
