Summary
Sophos Web Protection Appliance Web Interface is prone to multiple vulnerabilities.
1) Unauthenticated local file disclosure
Unauthenticated users can read arbitrary files from the filesystem with the privileges of the 'spiderman' operating system user.
2) OS command injection
Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the 'spiderman' operating system user.
3) Reflected Cross Site Scripting (XSS)
Solution
The vendor released version 3.7.8.2 to address these issues. Please see the references and contact the vendor for information on how to obtain and apply the updates.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities