CVE-2023-2533

Warnung

Medienbericht

Exploit

EPSS 29.46%
Veröffentlicht 20.06.2023 15:15:11
Zuletzt bearbeitet 26.02.2026 15:03:53
Quelle help@fluidattacks.com
CVE-Watchlists
Login
Unerledigt
Login

PaperCut MF/NG 22.0.10 (Build 65996 2023-03-27) - Remote code execution via CSRF

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in
PaperCut NG/MF, which, under specific conditions, could potentially enable
an attacker to alter security settings or execute arbitrary code. This could
be exploited if the target is an admin with a current login session. Exploiting
this would typically involve the possibility of deceiving an admin into clicking
a specially crafted malicious link, potentially leading to unauthorized changes.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 7

NVD 6 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Papercut ≫ Papercut Mf Version < 20.1.8

Papercut ≫ Papercut Mf Version >= 21.0.0 < 21.2.12

Papercut ≫ Papercut Mf Version >= 22.0.0 < 22.1.1

Papercut ≫ Papercut Ng Version < 20.1.8

Papercut ≫ Papercut Ng Version >= 21.0.0 < 21.2.12

Papercut ≫ Papercut Ng Version >= 22.0.0 <= 22.1.1

28.07.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability

Schwachstelle

PaperCut NG/MF contains a cross-site request forgery (CSRF) vulnerability, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	29.46%	0.979

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
help@fluidattacks.com	8.4	1.7	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

09.08.2025 11:36

https://fluidattacks.com/advisories/arcangel/

Third Party Advisory

Exploit

https://www.papercut.com/kb/Main/SecurityBulletinJune2023

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-2533

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-2533

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2533

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2533

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-2533

28.07.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog