Vulnerabilities > Sophos > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-11-26 CVE-2021-36807 SQL Injection vulnerability in Sophos Unified Threat Management Up2Date
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
network
low complexity
sophos CWE-89
6.5
2021-10-30 CVE-2021-36808 Race Condition vulnerability in Sophos Secure Workspace
A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.
local
sophos CWE-362
4.4
2021-03-22 CVE-2021-25265 Unspecified vulnerability in Sophos Connect
A malicious website could execute code remotely in Sophos Connect Client before version 2.1.
network
sophos
6.8
2020-08-07 CVE-2020-17352 OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.5/18.0
Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code.
network
low complexity
sophos CWE-78
6.5
2020-06-22 CVE-2020-14980 Improper Certificate Validation vulnerability in Sophos Secure Email 3.9.4
The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.
network
high complexity
sophos CWE-295
5.9
2020-04-17 CVE-2020-10947 Improper Privilege Management vulnerability in Sophos products
Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation.
network
low complexity
sophos CWE-269
6.5
2020-03-02 CVE-2020-9540 Improper Privilege Management vulnerability in Sophos Hitmanpro.Alert 3.7.6.744
Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.
local
low complexity
sophos CWE-269
4.6
2020-02-24 CVE-2020-9363 Interpretation Conflict vulnerability in Sophos products
The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive.
network
sophos CWE-436
6.8
2019-06-20 CVE-2018-16116 SQL Injection vulnerability in Sophos Sfos 17.0.8
SQL injection vulnerability in AccountStatus.jsp in Admin Portal of Sophos XG firewall 17.0.8 MR-8 allow remote authenticated attackers to execute arbitrary SQL commands via the "username" GET parameter.
network
low complexity
sophos CWE-89
6.5
2018-10-25 CVE-2018-3970 Use of Uninitialized Resource vulnerability in Sophos Hitmanpro.Alert 3.7.6.744
An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744.
local
low complexity
sophos CWE-908
5.5