Vulnerabilities > Sophos > High

DATE CVE VULNERABILITY TITLE RISK
2022-03-22 CVE-2022-0652 Incorrect Permission Assignment for Critical Resource vulnerability in Sophos Unified Threat Management
Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions.
local
low complexity
sophos CWE-732
7.8
2021-11-26 CVE-2021-36807 SQL Injection vulnerability in Sophos Unified Threat Management Up2Date
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
network
low complexity
sophos CWE-89
8.8
2021-10-30 CVE-2021-36808 Race Condition vulnerability in Sophos Secure Workspace
A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.
local
high complexity
sophos CWE-362
7.0
2021-03-22 CVE-2021-25265 Unspecified vulnerability in Sophos Connect
A malicious website could execute code remotely in Sophos Connect Client before version 2.1.
network
low complexity
sophos
8.8
2020-08-07 CVE-2020-17352 OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.5/18.0
Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code.
network
low complexity
sophos CWE-78
8.8
2020-04-17 CVE-2020-10947 Link Following vulnerability in Sophos products
Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation.
network
low complexity
sophos CWE-59
8.8
2020-03-02 CVE-2020-9540 Unspecified vulnerability in Sophos Hitmanpro.Alert 3.7.6.744
Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.
local
low complexity
sophos
7.8
2020-02-24 CVE-2020-9363 Interpretation Conflict vulnerability in Sophos products
The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive.
local
low complexity
sophos CWE-436
7.8
2019-06-20 CVE-2018-16118 OS Command Injection vulnerability in Sophos Sfos
A shell escape vulnerability in /webconsole/APIController in the API Configuration component of Sophos XG firewall 17.0.8 MR-8 allows remote attackers to execute arbitrary OS commands via shell metachracters in the "X-Forwarded-for" HTTP header.
network
high complexity
sophos CWE-78
8.1
2019-06-20 CVE-2018-16117 OS Command Injection vulnerability in Sophos Sfos
A shell escape vulnerability in /webconsole/Controller in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary OS commands via shell metacharacters in the "dbName" POST parameter.
network
low complexity
sophos CWE-78
8.8