The host is installed with PaperCut NG before 20.1.10, 21.x before 21.2.14, 22.x before 22.1.5, or 23.x before 23.0.7 and is prone to an improper access controls vulnerability. A flaw is present in the application, which fails to properly handle a maliciously formed API request against a misconfigured API endpoint. Successful exploitation allows an attacker to cause privilege escalation on PaperCut NG/MF servers.