Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-1223

Summary
Assigner-PaperCut
Assigner Org ID-eb41dac7-0af8-4f84-9f6d-0272772514f4
Published At-14 Mar, 2024 | 03:04
Updated At-26 Sep, 2024 | 03:50
Rejected At-
Credits

Improper authorization controls in PaperCut NG/MF

This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:PaperCut
Assigner Org ID:eb41dac7-0af8-4f84-9f6d-0272772514f4
Published At:14 Mar, 2024 | 03:04
Updated At:26 Sep, 2024 | 03:50
Rejected At:
▼CVE Numbering Authority (CNA)
Improper authorization controls in PaperCut NG/MF

This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.

Affected Products
Vendor
PaperCut Software Pty LtdPaperCut
Product
PaperCut NG, PaperCut MF
Platforms
  • MacOS
  • Linux
  • Windows
Default Status
affected
Versions
Affected
  • From 0 before 23.0.7 (custom)
    • -> unaffectedfrom23.0.7
  • From 0 before 22.1.5 (custom)
    • -> unaffectedfrom22.1.5
  • From 0 before 21.2.14 (custom)
    • -> unaffectedfrom21.2.14
  • From 0 before 20.1.10 (custom)
    • -> unaffectedfrom20.1.10
Problem Types
TypeCWE IDDescription
CWECWE-488CWE-488: Exposure of Data Element to Wrong Session
Type: CWE
CWE ID: CWE-488
Description: CWE-488: Exposure of Data Element to Wrong Session
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-131CAPEC-131 Resource Leak Exposure
CAPEC ID: CAPEC-131
Description: CAPEC-131 Resource Leak Exposure
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
N/A
Hyperlink: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
x_transferred
Hyperlink: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:eb41dac7-0af8-4f84-9f6d-0272772514f4
Published At:14 Mar, 2024 | 03:15
Updated At:23 Jan, 2025 | 20:29

This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such an attack to be successful the system must be in a specific runtime state.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
PaperCut Software Pty Ltd
papercut
>>papercut_mf>>Versions before 20.1.10(exclusive)
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_mf>>Versions from 21.0.0(inclusive) to 21.2.14(exclusive)
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_mf>>Versions from 22.0.0(inclusive) to 22.1.5(exclusive)
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_mf>>Versions from 23.0.1(inclusive) to 23.0.7(exclusive)
cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_ng>>Versions before 20.1.10(exclusive)
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_ng>>Versions from 21.0.0(inclusive) to 21.2.14(exclusive)
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_ng>>Versions from 22.0.0(inclusive) to 22.1.5(exclusive)
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
PaperCut Software Pty Ltd
papercut
>>papercut_ng>>Versions from 23.0.1(inclusive) to 23.0.7(exclusive)
cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
Apple Inc.
apple
>>macos>>-
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>-
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
Microsoft Corporation
microsoft
>>windows>>-
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-488Secondaryeb41dac7-0af8-4f84-9f6d-0272772514f4
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: CWE-488
Type: Secondary
Source: eb41dac7-0af8-4f84-9f6d-0272772514f4
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.papercut.com/kb/Main/Security-Bulletin-March-2024eb41dac7-0af8-4f84-9f6d-0272772514f4
Vendor Advisory
https://www.papercut.com/kb/Main/Security-Bulletin-March-2024af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
Source: eb41dac7-0af8-4f84-9f6d-0272772514f4
Resource:
Vendor Advisory
Hyperlink: https://www.papercut.com/kb/Main/Security-Bulletin-March-2024
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

6Records found
CVE-2024-21423
Matching Score-8
Assigner-Microsoft Corporation
ShareView Details
Matching Score-8
Assigner-Microsoft Corporation
CVSS Score-4.8||MEDIUM
EPSS-1.40% / 79.64%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 21:35
Updated-03 May, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-edge_chromiumMicrosoft Edge (Chromium-based)
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2025-43200
Matching Score-8
Assigner-Apple Inc.
ShareView Details
Matching Score-8
Assigner-Apple Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.14% / 34.27%
||
7 Day CHG+0.01%
Published-16 Jun, 2025 | 21:36
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-07-07||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

This issue was addressed with improved checks. This issue is fixed in watchOS 11.3.1, macOS Ventura 13.7.4, iOS 15.8.4 and iPadOS 15.8.4, iOS 16.7.11 and iPadOS 16.7.11, iPadOS 17.7.5, visionOS 2.3.1, macOS Sequoia 15.3.1, iOS 18.3.1 and iPadOS 18.3.1, macOS Sonoma 14.7.4. A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

Action-Not Available
Vendor-Apple Inc.
Product-ipadosvisionosmacoswatchosiphone_oswatchOSiPadOSmacOSiOS and iPadOSvisionOSMultiple Products
CVE-2019-4654
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.12% / 31.64%
||
7 Day CHG~0.00%
Published-15 Apr, 2020 | 15:13
Updated-16 Sep, 2024 | 23:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. IBM X-ForceID: 170965.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-qradar_security_information_and_event_managerlinux_kernelQRadarQradar
CWE ID-CWE-295
Improper Certificate Validation
CVE-2023-36880
Matching Score-8
Assigner-Microsoft Corporation
ShareView Details
Matching Score-8
Assigner-Microsoft Corporation
CVSS Score-4.8||MEDIUM
EPSS-1.01% / 76.18%
||
7 Day CHG-0.03%
Published-07 Dec, 2023 | 20:45
Updated-01 Jan, 2025 | 03:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-edge_chromiumMicrosoft Edge (Chromium-based)
CVE-2025-20126
Matching Score-8
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-8
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.67%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 16:09
Updated-22 Jul, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco ThousandEyes Endpoint Agent Certificate Validation Vulnerability

A vulnerability in certification validation routines of Cisco ThousandEyes Endpoint Agent for macOS and RoomOS could allow an unauthenticated, remote attacker to intercept or manipulate metrics information. This vulnerability exists because the affected software does not properly validate certificates for hosted metrics services. An on-path attacker could exploit this vulnerability by intercepting network traffic using a crafted certificate. A successful exploit could allow the attacker to masquerade as a trusted host and monitor or change communications between the remote metrics service and the vulnerable client.

Action-Not Available
Vendor-Apple Inc.Cisco Systems, Inc.
Product-roomosthousandeyes_endpoint_agentmacosCisco ThousandEyes Endpoint Agent
CWE ID-CWE-295
Improper Certificate Validation
CVE-2024-43456
Matching Score-8
Assigner-Microsoft Corporation
ShareView Details
Matching Score-8
Assigner-Microsoft Corporation
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 50.63%
||
7 Day CHG~0.00%
Published-08 Oct, 2024 | 17:35
Updated-08 Jul, 2025 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Remote Desktop Services Tampering Vulnerability

Windows Remote Desktop Services Tampering Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_server_2022_23h2windows_server_2016windows_server_2012windows_server_2022windows_server_2019windows_server_2008Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2022Windows Server 2019 (Server Core installation)Windows Server 2012 (Server Core installation)Windows Server 2019Windows Server 2008 R2 Service Pack 1Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)Windows Server 2012Windows Server 2022, 23H2 Edition (Server Core installation)
CWE ID-CWE-284
Improper Access Control
Details not found