https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 <br/></td> CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"/>https://www.papercut.com/kb/Main/Security-Bulletin-March-2024 <br/></td> CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"/>
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
This vulnerability affects PaperCut MF installations and allows remote attackers to execute arbitrary code. The flaw exists within the EmailRenderer class due to a lack of proper validation of user-supplied strings before processing them with the template engine. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
An attacker can leverage this vulnerability to execute code in the context of SYSTEM, potentially leading to full system compromise. This could result in unauthorized access to sensitive information, modification of system configurations, or disruption of services running with SYSTEM privileges.
One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.
PaperCut has issued an update to correct this vulnerability. More details can be found at: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
1. Apply the security update provided by PaperCut as soon as possible. 2. Implement network segmentation to limit access to PaperCut MF installations. 3. Monitor for suspicious activities related to the EmailRenderer class. 4. Ensure that authentication mechanisms are regularly reviewed and strengthened. 5. Implement the principle of least privilege for system accounts and services.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
NVD published the first details for CVE-2024-1882
Feedly found the first article mentioning CVE-2024-1882. See article
EPSS Score was set to: 0.04% (Percentile: 7.2%)
Detection for the vulnerability has been added to Qualys (379515)
Detection for the vulnerability has been added to Nessus (193336)
Feedly estimated the CVSS score as HIGH