CVE-2023-2508

Опубликовано: 20 сент. 2023

Источник: nvd

CVSS3: 5.3

CVSS3: 6.5

EPSS Низкий

Описание

The PaperCutNG Mobility Print version 1.0.3512 application allows an

unauthenticated attacker to perform a CSRF attack on an instance

administrator to configure the clients host (in the "configure printer

discovery" section). This is possible because the application has no

protections against CSRF attacks, like Anti-CSRF tokens, header origin

validation, samesite cookies, etc.

Ссылки

https://fluidattacks.com/advisories/solveig/
Exploit
Third Party Advisory
https://www.papercut.com/help/manuals/mobility-print/release-history/#mobility-print-server
Release Notes
https://fluidattacks.com/advisories/solveig/
Exploit
Third Party Advisory
https://www.papercut.com/help/manuals/mobility-print/release-history/#mobility-print-server
Release Notes

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:papercut:mobility_print_server:1.0.3512:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

EPSS

Процентиль: 7%

0.00028

Низкий

5.3 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-9q29-w6f4-hc36

CVSS3: 5.3

github

больше 2 лет назад

The `PaperCutNG Mobility Print` version 1.0.3512 application allows an unauthenticated attacker to perform a CSRF attack on an instance administrator to configure the clients host (in the "configure printer discovery" section). This is possible because the application has no protections against CSRF attacks, like Anti-CSRF tokens, header origin validation, samesite cookies, etc.

EPSS

Процентиль: 7%

0.00028

Низкий

5.3 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-352