CVE-2023-2533 - OpenCVE

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Papercut	Papercut Mf Papercut Ng

Configuration 1 [-]

OR	cpe:2.3:a:papercut:papercut_mf:22.0.10:::::::*
	cpe:2.3:a:papercut:papercut_ng:22.0.10:::::::*

No data.

References

Link	Providers
https://fluidattacks.com/advisories/arcangel/
https://www.papercut.com/kb/Main/SecurityBulletinJune2023

History

No history.

MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2023-06-20T14:45:14.102Z

Updated: 2024-08-02T06:26:09.529Z

Reserved: 2023-05-05T03:13:21.706Z

Link: CVE-2023-2533

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-06-20T15:15:11.560

Modified: 2023-07-06T06:15:09.187

Link: CVE-2023-2533

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2533", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2023-05-05T03:13:21.706Z", "datePublished": "2023-06-20T14:45:14.102Z", "dateUpdated": "2024-08-02T06:26:09.529Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux", "MacOS"], "product": "PaperCut NG/MF", "vendor": "PaperCut", "versions": [{"lessThan": "2.1.1", "status": "affected", "version": "22.0.10", "versionType": "custom"}, {"status": "unaffected", "version": "21.2.12"}, {"status": "unaffected", "version": "20.1.8"}]}], "datePublic": "2023-06-13T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Cross-Site Request Forgery (CSRF) vulnerability has been identified in\nPaperCut NG/MF, which, under specific conditions, could potentially enable\nan attacker to alter security settings or execute arbitrary code. This could\nbe exploited if the target is an admin with a current login session. Exploiting\nthis would typically involve the possibility of deceiving an admin into clicking\na specially crafted malicious link, potentially leading to unauthorized changes.<br>"}], "value": "A Cross-Site Request Forgery (CSRF) vulnerability has been identified in\nPaperCut NG/MF, which, under specific conditions, could potentially enable\nan attacker to alter security settings or execute arbitrary code. This could\nbe exploited if the target is an admin with a current login session. Exploiting\nthis would typically involve the possibility of deceiving an admin into clicking\na specially crafted malicious link, potentially leading to unauthorized changes.\n"}], "impacts": [{"capecId": "CAPEC-62", "descriptions": [{"lang": "en", "value": "CAPEC-62 Cross Site Request Forgery"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-07-06T05:19:14.394Z"}, "references": [{"url": "https://fluidattacks.com/advisories/arcangel/"}, {"url": "https://www.papercut.com/kb/Main/SecurityBulletinJune2023"}], "source": {"discovery": "EXTERNAL"}, "title": "PaperCut MF/NG 22.0.10 (Build 65996 2023-03-27) - Remote code execution via CSRF", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:09.529Z"}, "title": "CVE Program Container", "references": [{"url": "https://fluidattacks.com/advisories/arcangel/", "tags": ["x_transferred"]}, {"url": "https://www.papercut.com/kb/Main/SecurityBulletinJune2023", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:papercut:papercut_mf:22.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "17E90E69-B5B5-4F51-B478-CC4CF7B9440D", "vulnerable": true}, {"criteria": "cpe:2.3:a:papercut:papercut_ng:22.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "5F1E8F89-A578-499F-92BF-F3E71C5FDA4D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability has been identified in\nPaperCut NG/MF, which, under specific conditions, could potentially enable\nan attacker to alter security settings or execute arbitrary code. This could\nbe exploited if the target is an admin with a current login session. Exploiting\nthis would typically involve the possibility of deceiving an admin into clicking\na specially crafted malicious link, potentially leading to unauthorized changes.\n"}], "id": "CVE-2023-2533", "lastModified": "2023-07-06T06:15:09.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2023-06-20T15:15:11.560", "references": [{"source": "help@fluidattacks.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://fluidattacks.com/advisories/arcangel/"}, {"source": "help@fluidattacks.com", "url": "https://www.papercut.com/kb/Main/SecurityBulletinJune2023"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "help@fluidattacks.com", "type": "Secondary"}]}