CVE-2024-3037: Arbitrary File Deletion in PaperCut NG/MF Web Print

First published: Tue May 14 2024(Updated: )

An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which typically restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log in to the local console of the Windows environment hosting the PaperCut NG/MF application server. Note: This CVE has been split into two separate CVEs (CVE-2024-3037 and CVE-2024-8404) and it’s been rescored with a "Privileges Required (PR)" rating of low, and “Attack Complexity (AC)” rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard users on the host server.

Credit: eb41dac7-0af8-4f84-9f6d-0272772514f4

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/type
• agent/first-publish-date
• agent/author
• agent/event
• agent/references
• agent/title
• agent/severity
• agent/description
• collector/mitre-cve
• source/MITRE
• agent/source
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• agent/last-modified-date
• agent/weakness
• agent/tags
• agent/softwarecombine
• collector/nvd-api
• source/NVD
• vendor/papercut
• canonical/papercut mf
• canonical/papercut ng
• vendor/microsoft
• canonical/microsoft windows