CVE-2024-8404: 
PaperCut NG vulnerability analysis and mitigation

An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. The vulnerability (CVE-2024-8404) was discovered and disclosed in September 2024. The affected systems include PaperCut NG and MF versions up to (excluding) 23.0.9 running on Windows servers with Web Print functionality enabled (NVD).

The vulnerability exists within the PCWebService component, where an attacker can abuse the service to delete files by creating a symbolic link. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is classified as CWE-59: Improper Link Resolution Before File Access ('Link Following') (NVD, ZDI).

If exploited, this vulnerability allows attackers to escalate privileges and execute arbitrary code in the context of SYSTEM. The attacker can leverage this vulnerability to delete arbitrary files on the affected system, potentially impacting system integrity and availability (ZDI).

PaperCut has issued an update to correct this vulnerability. The fix is available in version 23.0.9 and later releases. Organizations should ensure they are running the latest version of PaperCut NG/MF to mitigate this vulnerability (ZDI).