Sophos Web Protection Appliance Web Interface Multiple Vulnerabilities Network Vulnerability

Summary

Sophos Web Protection Appliance Web Interface is prone to multiple vulnerabilities. 1) Unauthenticated local file disclosure Unauthenticated users can read arbitrary files from the filesystem with the privileges of the 'spiderman' operating system user. 2) OS command injection Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the 'spiderman' operating system user. 3) Reflected Cross Site Scripting (XSS)

Solution

The vendor released version 3.7.8.2 to address these issues. Please see the references and contact the vendor for information on how to obtain and apply the updates.

References

http://www.sophos.com/en-us/support/knowledgebase/118969.aspx

Updated on 2015-03-25

Severity

Classification

CVE CVE-2013-2641, CVE-2013-2642, CVE-2013-2643

CVSS	Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C

Related Vulnerabilities

AlstraSoft AskMe Pro 'forum_answer.php' and 'profile.php' Multiple SQL Injection Vulnerabilities
AdPeeps 'index.php' Multiple Vulnerabilities.
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
A Really Simple Chat Multiple SQL Injection Vulnerabilities

Take action and discover your vulnerabilities