Sophos Web Appliance 4.3.10.4 Resolves Security Vulnerabilities

Critical

CVE(s)

CVE-2023-1671

CVE-2022-4934

CVE-2020-36692

Updated: 2023 11月 17

产品

Sophos Web Appliance (SWA)

发布 ID sophos-sa-20230404-swa-rce

文章版本 2

First Published 2023 4月 4

解决方法 No

Overview

The Sophos Web Appliance (SWA) 4.3.10.4 release fixes the following security issues:

CVE ID	Description	Severity
CVE-2023-1671	A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. CISA observed this vulnerability being used in the wild.	CRITICAL
CVE-2022-4934	A post-auth command injection vulnerability in the exception wizard allowing administrators to execute arbitrary code was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.	HIGH
CVE-2020-36692	A reflected XSS via POST vulnerability in report scheduler allowing execution of JavaScript code in the victim browser was discovered and responsibly disclosed to Sophos by an external researcher via the Sophos bug bounty program. The victim must be tricked into submitting a malicious form on an attacker-controlled website while logged in to SWA for the attack to succeed.	MEDIUM

End of Life date for Sophos Web Appliance is on July 20, 2023
Sophos recommends that Sophos Web Appliance is protected by a firewall and not accessible via the public Internet
There is no action required for Sophos Web Appliance customers, as updates are installed automatically by default