CVE-2022-0386 An SQL injection vulnerability in the Mail Manager of Sophos UTM v9.710 allows an attacker to execute code.

A persistent cross-site scripting (XSS) vulnerability in the On-device Web Access potentially allows an unauthenticated attacker to embed JavaScript in the device management interface.
What What happened? On-device Web Access (ODWA) is the interface that allows users to manage their Sophos UTM devices via a web browser. An attacker could exploit a persistent XSS vulnerability in ODWA to embed scripts on the device management interface. How to fix it? Upgrade to version 9.710. What next? If you are not sure whether your installation has been upgraded to version 9.710, contact Sophos Support.

Overview

A persistent cross-site scripting (XSS) vulnerability in the On-device Web Access potentially allows an unauthenticated attacker to embed scripts on the device management interface.
What What happened? On-device Web Access (ODWA) is the interface that allows users to manage their Sophos UTM devices via a web browser. An attacker could exploit a persistent XSS vulnerability in ODWA to embed scripts on the device management interface. How to fix it? Upgrade to version 9.710. What next? If you are not sure whether your installation has been upgraded to version 9.710, contact Sophos Support

Persistent Cross-Site Scripting (XSS) Vulnerability

A persistent cross-site scripting (XSS) vulnerability in the On-device Web Access potentially allows an unauthenticated attacker to embed JavaScript in the device management interface. The vulnerability exists because of a failure to properly sanitize user input when handling parameters that are being used to create links. An attacker could exploit this vulnerability to execute JavaScript code on the device management interface.

Summary

A persistent cross-site scripting vulnerability in the On-device Web Access potentially allows an unauthenticated attacker to embed JavaScript in the device management interface.

Persistent Cross-Site Scripting vulnerability in On-device Web Access

A persistent cross-site scripting (XSS) vulnerability in the On-device Web Access potentially allows an unauthenticated attacker to embed JavaScript in the device management interface.
What What happened? On-device Web Access (ODWA) is the interface that allows users to manage their Sophos UTM devices via a web browser. An attacker could exploit a persistent XSS vulnerability in ODWA to embed scripts on the device management interface. How to fix it? Upgrade to version 9.710. What next? If you are not sure whether your installation has been upgraded to version 9.710, contact Sophos Support.

Timeline

Published on: 03/22/2022 00:15:00 UTC
Last modified on: 03/28/2022 19:34:00 UTC

References

• https://www.sophos.com/en-us/security-advisories/sophos-sa-20220321-utm-9710
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0386