CVE-2024-9672: 
PaperCut NG vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF, identified as CVE-2024-9672. The vulnerability was discovered and disclosed on December 9, 2024. This security flaw affects PaperCut NG and PaperCut MF software versions up to (excluding) 24.1.1. The vulnerability allows attackers to execute specially crafted JavaScript payloads in the browser (NVD CVE).

The vulnerability is classified as a reflected cross-site scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Additionally, it has a CVSS v4.0 score of 6.3 (MEDIUM) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD CVE).

When exploited, this vulnerability can lead to the execution of malicious JavaScript code in users' browsers. The impact is considered medium severity, with potential for limited loss of confidentiality and integrity, though no direct impact on availability has been identified (NVD CVE).

PaperCut has addressed this vulnerability in version 24.1.1 of both PaperCut NG and PaperCut MF. Users are advised to upgrade to this version or later to mitigate the risk (NVD CVE).