- 80/2023
- Critical
Sophos has released security updates to fix multiple vulnerabilities in Sophos Web Appliance versions older than 4.3.10.4.
The addressed vulnerabilities could allow the remote attacker to gain access, cause a cross-site scripting attack, or execute arbitrary/JavaScript code on the affected versions.
Sample of the addressed vulnerabilities:
1. Sophos Pre-auth Command Injection Vulnerability (CVE-2023-1671):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Sophos Post-auth Command Injection Vulnerability (CVE-2022-4934):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
It should be highlighted that Sophos noted that the End of Life date for Sophos Web Appliance is on July 20, 2023.
Vulnerabilities
- CVE-2023-1671
- CVE-2022-4934
- CVE-2020-36692
Mitigations
Sophos updates are installed automatically by default; therefore, organizations should make sure that they have the most up-to-date version “4.3.10.4” available.