CVE-2023-31046

moderate-risk

Published 2023-10-19

A Path Traversal vulnerability exists in PaperCut NG before 22.1.1 and PaperCut MF before 22.1.1. Under specific conditions, this could potentially allow an authenticated attacker to achieve read-only access to the server's filesystem, because requests beginning with "GET /ui/static/..//.." reach getStaticContent in UIContentResource.class in the static-content-files servlet.

Do I need to act?

0.19% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Papercut Mf

Papercut Ng

Affected Vendors

Papercut

References (8)

Third Party Advisory https://research.aurainfosec.io/disclosure/papercut/

Third Party Advisory https://web.archive.org/web/20230814061444/https://research.aurainfosec.io/discl...

Vendor Advisory https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#security-notifications

Vendor Advisory https://www.papercut.com/kb/Main/SecurityBulletinJune2023

Third Party Advisory https://research.aurainfosec.io/disclosure/papercut/

Third Party Advisory https://web.archive.org/web/20230814061444/https://research.aurainfosec.io/discl...

Vendor Advisory https://www.papercut.com/kb/Main/PO-1216-and-PO-1219#security-notifications

Vendor Advisory https://www.papercut.com/kb/Main/SecurityBulletinJune2023

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 7/34 · Low