Sophos, a leading cybersecurity vendor, recently addressed three vulnerabilities in its Sophos Web Appliance, which includes a critical flaw, a high-severity code execution issue, and a medium-severity reflected cross-site scripting vulnerability.
The critical flaw, tracked as CVE-2023-1671, is a pre-auth command injection issue that affects appliances older than version 4.3.10.4 and has a CVSS score of 9.8. This flaw can lead to code execution, which could allow an attacker to take control of the system.
The second issue addressed by Sophos, tracked as CVE-2022-4934, is a high-severity post-auth command injection vulnerability that resides in the exception wizard, allowing administrators to execute arbitrary code. The company also fixed a medium-severity reflected cross-site scripting vulnerability, tracked as CVE-2020-36692, which allows an attacker to execute JavaScript code in the victim’s browser.
All the vulnerabilities were responsibly disclosed to Sophos by external security researchers via the Sophos bug bounty program. The program encourages security researchers to report potential vulnerabilities and offers rewards to those who successfully identify them.
Sophos Web Appliance will reach end-of-life status on July 20, 2023. The company recommends that customers replace the appliances with Sophos Firewall.
It is vital for organizations to stay up-to-date with their security systems and regularly apply patches and updates to protect against potential security threats.