https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 <br/></td> CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"/>https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 <br/></td> CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2024-1882

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

Published: Mar 14, 2024 / Updated: 8mo ago

010
CVSS 7.2EPSS 0.04%High
CVE info copied to clipboard

Summary

This vulnerability affects PaperCut MF installations and allows remote attackers to execute arbitrary code. The flaw exists within the EmailRenderer class due to a lack of proper validation of user-supplied strings before processing them with the template engine. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

Impact

An attacker can leverage this vulnerability to execute code in the context of SYSTEM, potentially leading to full system compromise. This could result in unauthorized access to sensitive information, modification of system configurations, or disruption of services running with SYSTEM privileges.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

PaperCut has issued an update to correct this vulnerability. More details can be found at: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024

Mitigation

1. Apply the security update provided by PaperCut as soon as possible. 2. Implement network segmentation to limit access to PaperCut MF installations. 3. Monitor for suspicious activities related to the EmailRenderer class. 4. Ensure that authentication mechanisms are regularly reviewed and strengthened. 5. Implement the principle of least privilege for system accounts and services.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-1882

Mar 13, 2024 at 9:15 PM
First Article

Feedly found the first article mentioning CVE-2024-1882. See article

Mar 14, 2024 at 4:21 AM / National Vulnerability Database
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.2%)

Mar 14, 2024 at 5:07 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379515)

Mar 18, 2024 at 12:00 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (193336)

Apr 15, 2024 at 9:16 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 18, 2024 at 8:51 PM
Static CVE Timeline Graph

Affected Systems

Papercut/NG
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-785/
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

ZDI-24-785: PaperCut MF EmailRenderer Server-Side Template Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut MF. PaperCut has issued an update to correct this vulnerability.

News

ZDI-24-785: PaperCut MF EmailRenderer Server-Side Template Injection Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut MF. PaperCut has issued an update to correct this vulnerability.
PaperCut MF &lt; 20.1.10 / 21.x &lt; 21.2.14 / 22.x &lt; 22.1.5 / 23.x &lt; 23.0.7 Multiple Vulnerabilities
The version of PaperCut MF installed on the remote Windows host is affected by multiple vulnerabilities, as follows: - This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server.
Multiple vulnerabilities in PaperCut NG/MF
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality. The vulnerability exists due to improper access restrictions at certain API endpoints.
PaperCut NG/MF Security Bulletin
(also known as “ZDI-CAN-23116” by Trend Micro) This vulnerability could potentially allow an attacker to make an HTTP request look like it came from a PaperCut NG/MF application server. (also known as “ZDI-CAN-22328” by Trend Micro) This vulnerability potentially allows an attacker who already has authenticated access to the admin console to carry out unauthorized write operations which may lead to remote code execution.
CVE-2024-1882
High Severity Description This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server. Read more at https://www.tenable.com/cve/CVE-2024-1882
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI