Sophos has released a new security advisory that has fixed 3 of its significant vulnerabilities, allowing threat actors to execute arbitrary code injection on Sophos Web Appliance (SWA).
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This vulnerability exists on the warn-proceed handler, allowing threat actors to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Sophos Web Appliance 4.3.10.4 and older versions
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
This vulnerability exists on the exception wizard handler, allowing administrators to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Sophos Web Appliance 4.3.10.4 and older versions
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
This vulnerability exists on the report scheduler, allowing threat actors to execute Javascript code on the victim’s browser. To exploit this vulnerability, a threat actor must trick a victim into submitting a malicious form on any compromised website.
In contrast, the victim is logged on to Sophos Web Appliance. An external security researcher reported it through the Sophos Bug Bounty Program.
Sophos Web Appliance 4.3.10.4 and older versions
Work Order | Description |
NSWA-1689 | Resolved an XSS vulnerability in the report scheduler (CVE-2020-36692). |
NSWA-1756 | Resolved a vulnerability in the exception wizard (CVE-2022-4934). |
NSWA-1763 | Resolved a vulnerability in the warning page handler (CVE-2023-1671). |
Struggling to Apply The Security Patch in Your System? –
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…