Papercut Mf
CVE-2023-27350
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
AnalysisAI
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-284. This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987. Affected products include: Papercut Papercut Mf, Papercut Papercut Ng.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Papercut Mf
View allPaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific condition
This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated
An unspecified vulnerability in the application server in PaperCut MF and NG versions 18.3.8 and earlier and versions 19
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163. Rat
An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print
An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabl
An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print
Unspecified vulnerability in the print release functionality in PaperCut MF before 14.1 (Build 26983) has unknown impact
An authentication bypass exists in PaperCut NG versions 22.0.12 and prior that could allow a remote, unauthenticated att
This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for
This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. Rated high
Same weakness CWE-284 – Improper Access Control
View allShare
External POC / Exploit Code
Leaving vuln.today