Vulnerabilities > Sophos > XG Firewall Firmware
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-12-01 | CVE-2022-3226 | OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA. | 7.2 |
| 2022-12-01 | CVE-2022-3696 | Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA. | 7.2 |
| 2022-12-01 | CVE-2022-3709 | Cross-site Scripting vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA. | 8.4 |
| 2022-12-01 | CVE-2022-3710 | SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA. | 2.7 |
| 2022-12-01 | CVE-2022-3711 | SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA. | 4.3 |
| 2022-12-01 | CVE-2022-3713 | Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA. | 8.8 |
| 2020-08-07 | CVE-2020-17352 | OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.5/18.0 Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code. | 6.5 |
| 2020-07-10 | CVE-2020-15504 | SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0 A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. | 7.5 |
| 2020-06-29 | CVE-2020-15069 | Classic Buffer Overflow vulnerability in Sophos XG Firewall Firmware 17.0/17.5 Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. | 7.5 |