CVE-2023-39143

PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).

CVSS v3.0 9.8 CRITICAL

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/	Exploit Third Party Advisory
https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/	Exploit Third Party Advisory
https://www.papercut.com/kb/Main/securitybulletinjuly2023/	Vendor Advisory
https://www.papercut.com/kb/Main/securitybulletinjuly2023/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:papercut:papercut_mf::::::::
	cpe:2.3:a:papercut:papercut_ng::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

05 May 2025, 16:15

Type	Values Removed	Values Added
References	~~(MISC) https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/ - Exploit, Third Party Advisory~~	() https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/ - Exploit, Third Party Advisory
References	~~(MISC) https://www.papercut.com/kb/Main/securitybulletinjuly2023/ - Vendor Advisory~~	() https://www.papercut.com/kb/Main/securitybulletinjuly2023/ - Vendor Advisory

08 Aug 2023, 20:07

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Papercut papercut Mf Papercut papercut Ng Microsoft Microsoft windows Papercut
CWE		CWE-22
CPE		cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:a:papercut:papercut_mf:::::::: cpe:2.3:a:papercut:papercut_ng::::::::
References	~~(MISC) https://www.papercut.com/kb/Main/securitybulletinjuly2023/ -~~	(MISC) https://www.papercut.com/kb/Main/securitybulletinjuly2023/ - Vendor Advisory
References	~~(MISC) https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/ -~~	(MISC) https://www.horizon3.ai/cve-2023-39143-papercut-path-traversal-file-upload-rce-vulnerability/ - Exploit, Third Party Advisory

07 Aug 2023, 18:15

Type	Values Removed	Values Added
Summary	~~PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files.~~	PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).

04 Aug 2023, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-04 17:15

Updated : 2025-05-05 16:15

NVD link : CVE-2023-39143

Mitre link : CVE-2023-39143

JSON object : View

Products Affected

papercut

papercut_mf
papercut_ng

microsoft

windows

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9.8 /10