Path Traversal Vulnerability in PaperCut NG and MF by PaperCut
CVE-2023-31046

6.5MEDIUM

Key Information:

Vendor: Papercut
Status: Papercut Mf; Papercut Ng
Vendor: CVE Published:; 19 October 2023

Summary

A Path Traversal vulnerability exists in PaperCut NG and PaperCut MF versions prior to 22.1.1. This flaw allows an authenticated attacker, under certain conditions, to exploit the system by sending crafted requests that manipulate the file path. Specifically, it enables access to sensitive parts of the server's filesystem, potentially exposing critical information. The issue arises due to the way the static-content-files servlet handles requests that include directory traversal sequences like '/ui/static/..//..'.

References

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#secu...

https://www.papercut.com/kb/Main/SecurityBulletinJune2023

https://research.aurainfosec.io/disclosure/papercut/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2023
Vulnerability Reserved
Apr 24, 2023