CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9672 – Reflected XSS in PaperCut MF
https://notcve.org/view.php?id=CVE-2024-9672
09 Dec 2024 — A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur. • https://www.papercut.com/kb/Main/security-bulletin-december-2024 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8404 – Arbitrary File Deletion in PaperCut NG/MF Web Print Hot folder
https://notcve.org/view.php?id=CVE-2024-8404
26 Sep 2024 — An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which restricts local login access to Administrators on... • https://www.papercut.com/kb/Main/Security-Bulletin-May-2024 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8405 – Arbitrary File Creation in PaperCut NG/MF Web Print leading to a Denial of Service attack
https://notcve.org/view.php?id=CVE-2024-8405
26 Sep 2024 — An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This specific flaw exists within the web-print.exe process, which can incorrectly create files that don’t exist when a maliciously formed payload is provided. This can be used to flood disk space and result in a Denial of Service (DoS) attack. Note: This CVE has been split from CVE-2024-4712. This vulnerability allows local attackers to create a denial-of-service condition on affected ... • https://www.papercut.com/kb/Main/Security-Bulletin-May-2024 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4712 – Arbitrary File Creation in PaperCut NG/MF Web Print Image Handler
https://notcve.org/view.php?id=CVE-2024-4712
14 May 2024 — An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group). Existe una vulnerabilidad de creación de archivos arbitraria en PaperCut NG/MF que solo afecta a los servidores Windows con Web Print habilitado. Esta vulnerabilidad requiere inicio de sesión local/acceso a la consola del servidor PaperCut NG/MF (por ejemplo: miembr... • https://www.papercut.com/kb/Main/security-bulletin-may-2024 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3037 – Arbitrary File Deletion in PaperCut NG/MF Web Print
https://notcve.org/view.php?id=CVE-2024-3037
14 May 2024 — An arbitrary file deletion vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This vulnerability requires local login/console access to the PaperCut NG/MF server (eg: member of a domain admin group). Existe una vulnerabilidad de eliminación arbitraria de archivos en PaperCut NG/MF que solo afecta a los servidores Windows con Web Print habilitado. Esta vulnerabilidad requiere acceso a la consola o inicio de sesión local al servidor PaperCut NG/MF (por ejemplo, mi... • https://www.papercut.com/kb/Main/security-bulletin-may-2024 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1884 – Server Side Request Forgery in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1884
14 Mar 2024 — This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. Esta es una vulnerabilidad de Server-Side Request Forgery (SSRF) en PaperCut NG/MF server-side module que permite a un atacante inducir a la aplicación del lado del servidor a realizar solicitudes HTTP a un dominio arbitrario de su elección. This vulnerability allows remote at... • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1883 – Reflected XSS in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1883
14 Mar 2024 — This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it could potentially lead to limited loss of confidentiality, integrity or availability. Esta es una vulnerabilidad de Cross Site Scripting reflejada en el servidor de aplicaciones PaperCut NG/MF. Un atacante puede aprovechar esta debilidad creando una URL maliciosa q... • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-76: Improper Neutralization of Equivalent Special Elements •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1882 – Server-side resource injection in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1882
14 Mar 2024 — This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server. Esta vulnerabilidad permite que un usuario administrador ya autenticado cree un payload malicioso que podría aprovecharse para la ejecución remota de código en el servidor que aloja el servidor de aplicaciones PaperCut NG/MF. This vulnerability allows remote attackers to execute arbitrary code on affected in... • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-76: Improper Neutralization of Equivalent Special Elements •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1654 – Unauthorized write operations in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1654
14 Mar 2024 — This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid user to exploit this. Esta vulnerabilidad permite potencialmente operaciones de escritura no autorizadas que pueden conducir a la ejecución remota de código. Un atacante ya debe tener acceso de administrador autenticado y conocimiento tanto de un identificador inte... • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-183: Permissive List of Allowed Inputs •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 0CVE-2024-1223 – Improper authorization controls in PaperCut NG/MF
https://notcve.org/view.php?id=CVE-2024-1223
14 Mar 2024 — This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state. Esta vulnerabilidad permite potencialmente la enumeración no autorizada de información de las API del dispositivo integrado. Un atacante ya debe tener conocimiento de alguna combinación de ... • https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-488: Exposure of Data Element to Wrong Session •