CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33336
https://notcve.org/view.php?id=CVE-2023-33336
30 Jun 2023 — Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes. • https://inf0seq.github.io/cve/2023/04/30/Cross-site-scripting-%28XSS%29-in-Sophos-Web-Appliance-4.1.1-0.9.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36692
https://notcve.org/view.php?id=CVE-2020-36692
04 Apr 2023 — A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA. • https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4934
https://notcve.org/view.php?id=CVE-2022-4934
04 Apr 2023 — A post-auth command injection vulnerability in the exception wizard of Sophos Web Appliance older than version 4.3.10.4 allows administrators to execute arbitrary code. • https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 7CVE-2023-1671 – Sophos Web Appliance Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-1671
04 Apr 2023 — A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code. Sophos Web Appliance version 4.3.10.4 suffers from a pre-authentication command injection vulnerability. Sophos Web Appliance contains a command injection vulnerability in the warn-proceed handler that allows for remote code execution. • https://packetstorm.news/files/id/172016 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9523
https://notcve.org/view.php?id=CVE-2017-9523
09 Jun 2017 — The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page, aka NSWA-1342. El producto Sophos Web Appliance versiones anteriores a 4.3.2, presenta un problema de tipo XSS en la página de redireccionamiento FTP, también se conoce como NSWA-1342. • http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 0CVE-2017-6183
https://notcve.org/view.php?id=CVE-2017-6183
30 Mar 2017 — In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314. En Sophos Web Appliance (SWA) en versiones anteriores a 4.3.1.2, una sección de las utilidades de configuración de la máquina para agregar (y detectar) servidores Active Directory era vulnerable a inyección de comandos remotos, vulnerabilidad también conocida como NSWA-1314. • http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2017-6184
https://notcve.org/view.php?id=CVE-2017-6184
30 Mar 2017 — In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303. En Sophos Web Appliance (SWA) en versiones anteriores a 4.3.1.2, una sección de la interfaz de la máquina responsable de generar informes era vulnerable a la inyección de comando remoto a través del parámetro token, vulnerabilidad también conocida como NSWA-1303. • http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 14%CPEs: 1EXPL: 2CVE-2017-6182 – Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection
https://notcve.org/view.php?id=CVE-2017-6182
30 Mar 2017 — In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304. En Sophos Web Appliance (SWA) en versiones anteriores a 4.3.1.2, una sección de la interfaz de la máquina responsable de generar informes era vulnerable a la inyección de comandos remotos a través de funciones, vulnerabilidad también conocida como NSWA-1304. • https://packetstorm.news/files/id/143385 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2017-6412 – Sophos Web Appliance 4.3.1.1 - Session Fixation
https://notcve.org/view.php?id=CVE-2017-6412
30 Mar 2017 — In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310. En Sophos Web Appliance (SWA) en versiones anteriores a 4.3.1.2, podría ocurrir la fijación de sesión, vulnerabilidad también conocida como NSWA-1310. Sophos Web Appliance version 4.3.1.1 suffers from a session fixation vulnerability. • https://packetstorm.news/files/id/142551 • CWE-384: Session Fixation •
CVSS: 9.0EPSS: 6%CPEs: 1EXPL: 4CVE-2016-9553 – Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection
https://notcve.org/view.php?id=CVE-2016-9553
28 Jan 2017 — The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses from accessing the device. The device doesn't properly escape the information passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function which allows for system commands to be injected into ... • https://packetstorm.news/files/id/141270 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •