HIGH - Warwick CSIIRT have been notified that there is a zero-day vulnerability in Google Chrome prior to version 112.0.5615.121 which allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page. Heap corruption is the circumstance under which misbehaving code corrupts the data heap. (The data heap is a block of memory that the OS sets aside for an application to hold its data in.) This can lead to a threat actor executing arbitrary code. The CVE identifier associated with this issue is CVE-2023-2033.

It is confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within Papercut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal Papercut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. The Vendor does not have any evidence of this vulnerability being used against customers at this point.

It is confirmed that under certain circumstances this allows for an unauthenticated attacker to get Remote Code Execution (RCE) on a Papercut Application Server. This could be done remotely and without the need to log in. The vendor does not have any evidence of this vulnerability being used against customers at this point.