CVE-2023-2533

PaperCut MF/NG 22.0.10 (Build 65996 2023-03-27) - Remote code execution via CSRF

CVSS 8.4 HIGHEPSS 29.5%● KEVCWE-352

In short

PaperCut MF/NG has a security flaw that allows an attacker to trick a logged-in administrator into making dangerous changes or running malicious code by clicking a specially crafted link. This happens because the application doesn't properly verify that requests come from legitimate users.

Technical detail

A CSRF vulnerability in PaperCut NG/MF 22.0.10 allows an unauthenticated attacker to forge requests that execute with an authenticated admin's privileges if the admin is tricked into clicking a malicious link. The attack vector is client-side social engineering; requires an active admin session and victim interaction. Impact includes arbitrary code execution and security configuration changes.

Summary generated and translated by AI from the official description.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Affected products

PaperCut · PaperCut NG/MF

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://fluidattacks.com/advisories/arcangel/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2533 https://www.papercut.com/kb/Main/SecurityBulletinJune2023