Vulnerabilities > Sophos > XG Firewall Firmware

DATE CVE VULNERABILITY TITLE RISK
2022-12-01 CVE-2022-3226 OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-78
7.2
2022-12-01 CVE-2022-3696 Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-94
7.2
2022-12-01 CVE-2022-3709 Cross-site Scripting vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-79
8.4
2022-12-01 CVE-2022-3710 SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-89
2.7
2022-12-01 CVE-2022-3711 SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.
network
low complexity
sophos CWE-89
4.3
2022-12-01 CVE-2022-3713 Code Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.
low complexity
sophos CWE-94
8.8
2020-08-07 CVE-2020-17352 OS Command Injection vulnerability in Sophos XG Firewall Firmware 17.5/18.0
Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code.
network
low complexity
sophos CWE-78
8.8
2020-07-10 CVE-2020-15504 SQL Injection vulnerability in Sophos XG Firewall Firmware 17.0/17.5/18.0
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely.
network
low complexity
sophos CWE-89
critical
9.8
2020-06-29 CVE-2020-15069 Classic Buffer Overflow vulnerability in Sophos XG Firewall Firmware 17.0/17.5
Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access.
network
low complexity
sophos CWE-120
critical
9.8