papercut papercut-ng CVE-2023-27350 vulnerability in Papercut Products
Published on April 20, 2023

This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.

Vendor Advisory NVD

Known Exploited Vulnerability

This PaperCut MF/NG Improper Access Control Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.

The following remediation steps are recommended / required by May 12, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2023-27350 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2023-27350 has been classified to as an Authorization vulnerability or weakness.


Products Associated with CVE-2023-27350

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-27350 are published in these products:

Papercut Ng
 
Papercut Mf
 

What versions are vulnerable to CVE-2023-27350?