CVE-2024-1884: 
PaperCut NG vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the PaperCut NG/MF server-side module (CVE-2024-1884). The vulnerability allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. This vulnerability was disclosed in March 2024 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in low-level impacts to both confidentiality and integrity, with no impact on availability (NVD, ZDI).

The vulnerability affects multiple versions of PaperCut NG/MF software, including versions up to 20.1.10, 21.0.0 to 21.2.14, 22.0.0 to 22.1.5, and 23.0.1 to 23.0.7. If exploited, an attacker could potentially disclose sensitive information and make unauthorized HTTP requests through the server-side application (ZDI).

PaperCut has released security updates to address this vulnerability. Users are advised to upgrade to the latest version of the software as detailed in the vendor's security bulletin (PaperCut Advisory).