CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4712 – Arbitrary file creation in PaperCut NG/MF Web Print
https://notcve.org/view.php?id=CVE-2024-4712
An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group). Existe una vulnerabilidad de creación de archivos arbitraria en PaperCut NG/MF que solo afecta a los servidores Windows con Web Print habilitado. Esta vulnerabilidad requiere inicio de sesión local/acceso a la consola del servidor PaperCut NG/MF (por ejemplo: miembro de un grupo de administración de dominio). This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. • https://www.papercut.com/kb/Main/security-bulletin-may-2024 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3037 – Arbitrary file deletion in PaperCut NG/MF Web Print
https://notcve.org/view.php?id=CVE-2024-3037
An arbitrary file deletion vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group). Existe una vulnerabilidad de eliminación arbitraria de archivos en PaperCut NG/MF que solo afecta a los servidores Windows con Web Print habilitado. Esta vulnerabilidad requiere acceso a la consola o inicio de sesión local al servidor PaperCut NG/MF (por ejemplo, miembro de un grupo de administración de dominio). This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. • https://www.papercut.com/kb/Main/security-bulletin-may-2024 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1884 – Server Side Request Forgery in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1884
This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. Esta es una vulnerabilidad de Server-Side Request Forgery (SSRF) en PaperCut NG/MF server-side module que permite a un atacante inducir a la aplicación del lado del servidor a realizar solicitudes HTTP a un dominio arbitrario de su elección. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PaperCut MF. Authentication is not required to exploit this vulnerability. The specific flaw exists within the pc-upconnector-service service, which listens on TCP port 9151 by default. The issue results from the lack of proper validation of a URI prior to accessing resources. • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1883 – Reflected XSS in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1883
This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability. Esta es una vulnerabilidad de Cross Site Scripting reflejada en el servidor de aplicaciones PaperCut NG/MF. Un atacante puede aprovechar esta debilidad creando una URL maliciosa que contenga un script. • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1882 – Server-side resource injection in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1882
This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server. Esta vulnerabilidad permite que un usuario administrador ya autenticado cree un payload malicioso que podría aprovecharse para la ejecución remota de código en el servidor que aloja el servidor de aplicaciones PaperCut NG/MF. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut MF. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the EmailRenderer class. The issue results from the lack of proper validation of a user-supplied string before processing it with the template engine. • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •