Risk Level - High.

Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier) and 20.005.30514 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

HIGH - Warwick CSIIRT have been notified that there is a zero-day vulnerability in Google Chrome prior to version 112.0.5615.121 which allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page. Heap corruption is the circumstance under which misbehaving code corrupts the data heap. (The data heap is a block of memory that the OS sets aside for an application to hold its data in.) This can lead to a threat actor executing arbitrary code. The CVE identifier associated with this issue is CVE-2023-2033.

It is confirmed that under certain circumstances this allows for an unauthenticated attacker to potentially pull information about a user stored within Papercut MF or NG - including usernames, full names, email addresses, office/department info and any card numbers associated with the user. The attacker can also retrieve the hashed passwords for internal Papercut-created users only (note that this does not include any password hashes for users sync’d from directory sources such as Microsoft 365 / Google Workspace / Active Directory and others). This could be done remotely and without the need to log in. The Vendor does not have any evidence of this vulnerability being used against customers at this point.