CVE-2018-19936
Description
PrinterOn Enterprise 4.1.4 allows Arbitrary File Deletion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PrinterOn Enterprise 4.1.4 allows unauthenticated or authenticated users to delete arbitrary files via the web page input field in the print interface.
Vulnerability
PrinterOn Enterprise version 4.1.4 contains an arbitrary file deletion vulnerability in the CPS URL (/cps) print interface. When printing as a Guest (if enabled) or as an Authenticated user, the field intended for entering a web page URI does not properly validate the input. An attacker can supply a local file path (e.g., c:\test.txt) instead of a URL, and the application will delete the specified file after processing the print job. The software runs under the PONservice account, which is part of the local Administrators group, giving the deletion operation high privileges. The vulnerability is present in the default installation where the Post Print Option is set to "Delete From Store" [1].
Exploitation
An attacker needs network access to the PrinterOn CPS web interface and either Guest printing enabled or valid authenticated user credentials. The steps are: (1) log in as Guest or an authenticated user; (2) navigate to the CPS URL (https:///cps); (3) in the "Enter a Web Page" field, input the full path of a target file on the host system (e.g., c:\windows\win.ini); (4) submit the print request. The application will attempt to process the input as a URI, but due to insufficient validation, it treats the file path as a valid resource and deletes the file after the print operation completes [1].
Impact
Successful exploitation allows an attacker to delete any file on the host system that is not currently locked by another process. This can lead to denial of service (e.g., deleting critical system files or application binaries), disruption of printing services, or data loss. Because the PONservice account runs with local administrator privileges, the attacker can delete files in protected directories, potentially causing complete system instability or requiring reinstallation [1].
Mitigation
As of the publication date of the reference (December 2018), no official patch or fixed version has been disclosed by PrinterOn. Users of PrinterOn Enterprise 4.1.4 should consider restricting network access to the CPS interface, disabling Guest printing if not required, and monitoring for unusual file deletion events. Upgrading to a later version (if available) may address this issue; however, no specific fixed version is mentioned in the available reference [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =4.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- www.exploit-db.com/exploits/45969mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/150750/PrinterOn-Enterprise-4.1.4-Arbitrary-File-Deletion.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.