Vulnerabilities > Sophos

DATE CVE VULNERABILITY TITLE RISK
2022-12-01 CVE-2022-3226 OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-78
7.2
2022-12-01 CVE-2022-3696 Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-94
7.2
2022-12-01 CVE-2022-3709 Cross-site Scripting vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-79
8.4
2022-12-01 CVE-2022-3710 SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-89
2.7
2022-12-01 CVE-2022-3711 SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-89
4.3
2022-12-01 CVE-2022-3713 Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.
low complexity
sophos CWE-94
8.8
2022-11-16 CVE-2022-3980 XXE vulnerability in Sophos Mobile
An XML External Entity (XEE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
network
low complexity
sophos CWE-611
critical
9.8
2022-09-23 CVE-2022-3236 Injection vulnerability in Sophos Firewall
A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.
network
low complexity
sophos CWE-74
critical
9.8
2022-05-05 CVE-2021-25267 Cross-site Scripting vulnerability in Sophos Firewall Firmware
Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from admin to super-admin in Sophos Firewall older than version 19.0 GA.
network
sophos CWE-79
8.5
2022-05-05 CVE-2021-25268 Cross-site Scripting vulnerability in Sophos Firewall Firmware
Multiple XSS vulnerabilities in Webadmin allow for privilege escalation from MySophos admin to SFOS admin in Sophos Firewall older than version 19.0 GA.
network
sophos CWE-79
6.0