CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 0CVE-2020-29574 – CyberoamOS (CROS) SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-29574
11 Dec 2020 — An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. Una vulnerabilidad de inyección SQL en el WebAdmin de Cyberoam OS versiones hasta 04-12-2020, permite a atacantes no autenticados ejecutar sentencias SQL arbitrarias remotamente CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely. • https://www.bleepingcomputer.com/news/security/sophos-fixes-sql-injection-vulnerability-in-their-cyberoam-os • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 94%CPEs: 6EXPL: 7CVE-2020-25223 – Sophos SG UTM Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-25223
25 Sep 2020 — A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11 Se presenta una vulnerabilidad de ejecución de código remota en WebAdmin de Sophos SG UTM versiones anteriores a v9.705 MR5, v9.607 MR7 y v9.511 MR11 A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. • https://packetstorm.news/files/id/164697 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 2%CPEs: 14EXPL: 0CVE-2020-17352
https://notcve.org/view.php?id=CVE-2020-17352
07 Aug 2020 — Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code. Dos vulnerabilidades de inyección de comandos de Sistema Operativo en el portal de Usuario de Sophos XG Firewall hasta el 05-08-2020, permiten potencialmente a un atacante autenticado ejecutar código arbitrario remotamente • https://community.sophos.com/b/security-blog • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2020-15504
https://notcve.org/view.php?id=CVE-2020-15504
10 Jul 2020 — A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix. Una vulnerabilidad de inyección SQL en las interfaces web de usuario y administrador de Sophos XG Firewall versiones v18.0 MR1 y anteriores, permite potencialmente a un atacante ... • https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 64%CPEs: 14EXPL: 0CVE-2020-15069 – Sophos XG Firewall Buffer Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2020-15069
29 Jun 2020 — Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x. Sophos XG Firewall versiones 17.x hasta v17.5 MR12, permite un desbordamiento de búfer y una ejecución de código remota por medio de la funcionalidad HTTP/S Bookmarks para acceso sin cliente. La Hotfix HF062020.1 fue publicada para todos los firewalls que ejecutan versión v17.x Sophos XG Firewall... • https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14980 – Sophos Secure Email Android Application 3.9.4 Man-In-The-Middle
https://notcve.org/view.php?id=CVE-2020-14980
22 Jun 2020 — The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation. La aplicación Sophos Secure Email versiones hasta 3.9.4 para Android, presenta una Falta de Comprobación del Certificado SSL Sophos Secure Email Android Application versions 3.9.4 and below suffer from a man-in-the-middle vulnerability due to a lack of validation of SSL certificates. • http://packetstormsecurity.com/files/158322/Sophos-Secure-Email-Android-Application-3.9.4-Man-In-The-Middle.html • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2020-11503
https://notcve.org/view.php?id=CVE-2020-11503
18 Jun 2020 — A heap-based buffer overflow in the awarrensmtp component of Sophos XG Firewall v17.5 MR11 and older potentially allows an attacker to run arbitrary code remotely. Un desbordamiento de búfer en la región heap de la memoria en el componente awarrensmtp de Sophos XG Firewall versiones v17.5 MR11 y anteriores, permite potencialmente a un atacante ejecutar código arbitrario remotamente • https://community.sophos.com/b/security-blog/posts/advisory-potential-rce-through-heap-overflow-in-awarrensmtp-cve-2020-11503 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 83%CPEs: 5EXPL: 1CVE-2020-12271 – Sophos SFOS SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2020-12271
27 Apr 2020 — A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or L... • https://community.sophos.com/kb/en-us/135412 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10947
https://notcve.org/view.php?id=CVE-2020-10947
17 Apr 2020 — Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation. Mac Endpoint para Sophos Central versiones anteriores a 9.9.6 y Mac Endpoint para Sophos Home versiones anteriores a 2.2.6, permiten una Escalada de Privilegios. • https://community.sophos.com/b/security-blog/posts/advisory-cve-2020-10947---sophos-anti-virus-for-macos-privilege-escalation • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9540
https://notcve.org/view.php?id=CVE-2020-9540
01 Mar 2020 — Sophos HitmanPro.Alert before build 861 allows local elevation of privilege. Sophos HitmanPro.Alert antes del build 861, permite una escalada de privilegios local. • https://www.hitmanpro.com/en-us/whatsnewalert.aspx •