SB2023083117 - Multiple vulnerabilities in PaperCut NG/MF

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2023-2533)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the application administrator to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as alter security settings or execute arbitrary code.

2) Path traversal (CVE-ID: CVE-2023-31046)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Application Server and Site Server. A remote non-authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system.

3) Code Injection (CVE-ID: CVE-2023-39469)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the External User Lookup functionality. A remote privileged user can send a specially crafted request and execute arbitrary Java code on the target system.

Remediation

Install update from vendor's website.

References

• https://fluidattacks.com/advisories/arcangel/
• https://www.papercut.com/kb/Main/SecurityBulletinJune2023
• https://www.papercut.com/kb/Main/SecurityBulletinJune2023/
• https://www.zerodayinitiative.com/advisories/ZDI-23-1285/