CVE-2024-1221
CVE-2024-1221 is a low-severity vulnerability in Papercut Papercut Mf with a CVSS 3.x base score of 3.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-76.
Key facts
- Severity: Low (CVSS 3.x base score 3.1)
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-16988
- Weakness: CWE-76
- Affected product: Papercut Papercut Mf
- Published:
- Last modified:
Description
This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF servers.
Frequently asked questions
- What is CVE-2024-1221?
- This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF servers.
- How severe is CVE-2024-1221?
- CVE-2024-1221 has a CVSS 3.x base score of 3.1, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2024-1221 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-1221?
- CVE-2024-1221 primarily affects Papercut Papercut Mf. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-1221?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-1221 have an EU (EUVD) identifier?
- Yes. CVE-2024-1221 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-16988.
- When was CVE-2024-1221 published?
- CVE-2024-1221 was published on 2024-03-14 and last updated on 2026-06-17.
References
Affected products (2)
- cpe:2.3:a:papercut:papercut_mf:*:*:*:*:*:*:*:*
- cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
More vulnerabilities in Papercut Papercut Mf
- CVE-2023-39143 — Critical (CVSS 9.8): PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or…
- CVE-2023-27350 — Critical (CVSS 9.8): This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5…
- CVE-2019-12135 — Critical (CVSS 9.8): An unspecified vulnerability in the application server in PaperCut MF and NG versions 18.3.8 and earlier and versions…
- CVE-2019-8948 — Critical (CVSS 9.8): PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
- CVE-2024-1222 — High (CVSS 8.6): This allows attackers to use a maliciously formed API request to gain access to an API authorization level with…
- CVE-2023-2533 — High (CVSS 8.4): A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific…
All CVEs affecting Papercut Papercut Mf →
Other CWE-76 vulnerabilities
- CVE-2024-2952 — Critical (CVSS 9.8): BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The…
- CVE-2024-34359 — Critical (CVSS 9.6): llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to…
- CVE-2024-4897 — High (CVSS 8.4): parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on…
- CVE-2024-1882 — High (CVSS 7.2): This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for…
- CVE-2024-21600 — Medium (CVSS 6.5): An Improper Neutralization of Equivalent Special Elements vulnerability in the Packet Forwarding Engine (PFE) of…
- CVE-2023-1149 — Medium (CVSS 5.4): Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.