CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Sophos : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-1040 287 Exec Code Bypass 2022-03-25 2022-03-31
7.5
None Remote Low Not required Partial Partial Partial
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
2 CVE-2022-0652 307 2022-03-22 2022-03-28
2.1
None Local Low Not required Partial None None
Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before version 9.710.
3 CVE-2022-0386 89 Exec Code Sql 2022-03-22 2022-03-28
6.5
None Remote Low ??? Partial Partial Partial
A post-auth SQL injection vulnerability in the Mail Manager potentially allows an authenticated attacker to execute code in Sophos UTM before version 9.710.
4 CVE-2022-0331 200 +Info 2022-03-29 2022-04-05
5.0
None Remote Low Not required Partial None None
An information disclosure vulnerability in Webadmin allows an unauthenticated remote attacker to read the device serial number in Sophos Firewall version v18.5 MR2 and older.
5 CVE-2021-36809 269 DoS 2022-03-08 2022-03-11
3.6
None Local Low Not required None Partial Partial
A local attacker can overwrite arbitrary files on the system with VPN client logs using administrator privileges, potentially resulting in a denial of service and data loss, in all versions of Sophos SSL VPN client.
6 CVE-2021-36808 362 Bypass 2021-10-30 2021-11-29
4.4
None Local Medium Not required Partial Partial Partial
A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.
7 CVE-2021-36807 89 Exec Code Sql 2021-11-26 2021-11-30
6.5
None Remote Low ??? Partial Partial Partial
An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.
8 CVE-2021-25273 79 XSS 2021-07-29 2021-12-16
3.5
None Remote Medium ??? None Partial None
Stored XSS can execute as administrator in quarantined email detail view in Sophos UTM before version 9.706.
9 CVE-2021-25271 2021-10-08 2022-05-03
3.6
None Local Low Not required Partial Partial None
A local attacker could read or write arbitrary files with administrator privileges in HitmanPro before version Build 318.
10 CVE-2021-25270 Exec Code 2021-10-08 2022-05-03
7.2
None Local Low Not required Complete Complete Complete
A local attacker could execute arbitrary code with administrator privileges in HitmanPro.Alert before version Build 901.
11 CVE-2021-25269 428 2021-11-26 2021-12-03
2.1
None Local Low Not required None None Partial
A local administrator could prevent the HMPA service from starting despite tamper protection using an unquoted service path vulnerability in the HMPA component of Sophos Intercept X Advanced and Sophos Intercept X Advanced for Server before version 2.0.23, as well as Sophos Exploit Prevention before version 3.8.3.
12 CVE-2021-25266 922 2022-04-27 2022-05-06
2.1
None Local Low Not required Partial None None
An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.
13 CVE-2021-25264 94 Exec Code 2021-05-17 2021-05-25
7.2
None Local Low Not required Complete Complete Complete
In multiple versions of Sophos Endpoint products for MacOS, a local attacker could execute arbitrary code with administrator privileges.
14 CVE-2020-29574 89 Sql 2020-12-11 2020-12-14
7.5
None Remote Low Not required Partial Partial Partial
An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely.
15 CVE-2020-25223 Exec Code 2020-09-25 2021-12-10
10.0
None Remote Low Not required Complete Complete Complete
A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before v9.705 MR5, v9.607 MR7, and v9.511 MR11
16 CVE-2020-17352 78 Exec Code 2020-08-07 2020-08-12
6.5
None Remote Low ??? Partial Partial Partial
Two OS command injection vulnerabilities in the User Portal of Sophos XG Firewall through 2020-08-05 potentially allow an authenticated attacker to remotely execute arbitrary code.
17 CVE-2020-15504 89 Sql 2020-07-10 2020-07-14
7.5
None Remote Low Not required Partial Partial Partial
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.
18 CVE-2020-14980 295 2020-06-22 2020-07-06
4.3
None Remote Medium Not required Partial None None
The Sophos Secure Email application through 3.9.4 for Android has Missing SSL Certificate Validation.
19 CVE-2020-10947 269 2020-04-17 2021-07-21
6.5
None Remote Low ??? Partial Partial Partial
Mac Endpoint for Sophos Central before 9.9.6 and Mac Endpoint for Sophos Home before 2.2.6 allow Privilege Escalation.
20 CVE-2020-9540 269 2020-03-02 2021-07-21
4.6
None Local Low Not required Partial Partial Partial
Sophos HitmanPro.Alert before build 861 allows local elevation of privilege.
21 CVE-2020-9363 436 Bypass 2020-02-24 2022-04-18
6.8
None Remote Medium Not required Partial Partial Partial
The Sophos AV parsing engine before 2020-01-14 allows virus-detection bypass via a crafted ZIP archive. This affects Endpoint Protection, Cloud Optix, Mobile, Intercept X Endpoint, Intercept X for Server, and Secure Web Gateway. NOTE: the vendor feels that this does not apply to endpoint-protection products because the virus would be detected upon extraction.
22 CVE-2018-9233 916 2018-04-05 2019-10-03
2.1
None Local Low Not required Partial None None
Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for password storage in %PROGRAMDATA%\Sophos\Sophos Anti-Virus\Config\machine.xml, which makes it easier for attackers to determine a cleartext password, and subsequently choose unsafe malware settings, via rainbow tables or other approaches.
23 CVE-2018-6857 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x802022E0. By crafting an input buffer we can control the execution path to the point where the constant 0x12 will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.
24 CVE-2018-6856 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x8020601C. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.
25 CVE-2018-6855 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202014. By crafting an input buffer we can control the execution path to the point where the constant 0xFFFFFFF will be written to a user-controlled address. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.
26 CVE-2018-6854 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via multiple IOCTLs, e.g., 0x8810200B, 0x8810200F, 0x8810201B, 0x8810201F, 0x8810202B, 0x8810202F, 0x8810203F, 0x8810204B, 0x88102003, 0x88102007, 0x88102013, 0x88102017, 0x88102027, 0x88102033, 0x88102037, 0x88102043, and 0x88102047. When some conditions in the user-controlled input buffer are not met, the driver writes an error code (0x2000001A) to a user-controlled address. Also, note that all the aforementioned IOCTLs use transfer type METHOD_NEITHER, which means that the I/O manager does not validate any of the supplied pointers and buffer sizes. So, even though the driver checks for input/output buffer sizes, it doesn't validate if the pointers to those buffers are actually valid. So, we can supply a pointer for the output buffer to a kernel address space address, and the error code will be written there. We can take advantage of this condition to modify the SEP_TOKEN_PRIVILEGES structure of the Token object belonging to the exploit process and grant SE_DEBUG_NAME privilege. This allows the exploit process to interact with higher privileged processes running as SYSTEM and execute code in their security context.
27 CVE-2018-6853 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206024. By crafting an input buffer we can control the execution path to the point where a global variable will be written to a user controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.
28 CVE-2018-6852 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80202298. By crafting an input buffer we can control the execution path to the point where the nt!memset function is called to zero out contents of a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.
29 CVE-2018-6851 119 Exec Code Overflow 2018-07-09 2019-10-03
7.2
None Local Low Not required Complete Complete Complete
Sophos SafeGuard Enterprise before 8.00.5, SafeGuard Easy before 7.00.3, and SafeGuard LAN Crypt before 3.95.2 are vulnerable to Local Privilege Escalation via IOCTL 0x80206040. By crafting an input buffer we can control the execution path to the point where the constant DWORD 0 will be written to a user-controlled address. We can take advantage of this condition to zero-out the pointer to the security descriptor in the object header of a privileged process or modify the security descriptor itself and run code in the context of a process running as SYSTEM.
30 CVE-2018-6319 476 DoS 2018-02-02 2019-10-03
4.9
None Local Low Not required None None Complete
In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special DeviceIoControl code that doesn't check its argument. This argument is a memory address: if a caller passes a NULL pointer or a random invalid address, the driver will cause a Blue Screen of Death. If a program or malware does this at boot time, it can cause a persistent denial of service on the machine.
31 CVE-2018-6318 426 2018-02-02 2018-02-15
9.3
None Remote Medium Not required Complete Complete Complete
In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context of the application used to test an exploit or ransomware) the DLL using a payload that runs from NTDLL.DLL (so, it's run in userland), but the driver doesn't perform any validation of this DLL (not its signature, not its hash, etc.). A person can change this DLL in a local way, or with a remote connection, to a malicious DLL with the same name -- and when the product is used, this malicious DLL will be loaded, aka a DLL Hijacking attack.
32 CVE-2018-4863 254 Bypass 2018-04-05 2018-05-18
2.1
None Local Low Not required None Partial None
Sophos Endpoint Protection 10.7 allows local users to bypass an intended tamper protection mechanism by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\ registry key.
33 CVE-2018-3971 123 Mem. Corr. 2018-10-25 2022-04-19
7.2
None Local Low Not required Complete Complete Complete
An exploitable arbitrary write vulnerability exists in the 0x2222CC IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to write data under controlled by an attacker address, resulting in memory corruption. An attacker can send IRP request to trigger this vulnerability.
34 CVE-2018-3970 908 2018-10-25 2022-04-19
2.1
None Local Low Not required Partial None None
An exploitable memory disclosure vulnerability exists in the 0x222000 IOCTL handler functionality of Sophos HitmanPro.Alert 3.7.6.744. A specially crafted IRP request can cause the driver to return uninitialized memory, resulting in kernel memory disclosure. An attacker can send an IRP request to trigger this vulnerability.
35 CVE-2017-17023 345 2019-04-09 2019-10-03
9.3
None Remote Medium Not required Complete Complete Complete
The Sophos UTM VPN endpoint interacts with client software provided by NPC Engineering (www.ncp-e.com). The affected client software, "Sophos IPSec Client" 11.04 is a rebranded version of NCP "Secure Entry Client" 10.11 r32792. A vulnerability in the software update feature of the VPN client allows a man-in-the-middle (MITM) or man-on-the-side (MOTS) attacker to execute arbitrary, malicious software on a target user's computer. This is related to SIC_V11.04-64.exe (Sophos), NCP_EntryCl_Windows_x86_1004_31799.exe (NCP), and ncpmon.exe (both Sophos and NCP). The vulnerability exists because: (1) the VPN client requests update metadata over an insecure HTTP connection; and (2) the client software does not check if the software update is signed before running it.
36 CVE-2017-9523 79 XSS 2017-06-09 2017-06-15
4.3
None Remote Medium Not required None Partial None
The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page, aka NSWA-1342.
37 CVE-2017-7441 119 Overflow +Info 2017-09-13 2017-09-26
7.2
None Local Low Not required Complete Complete Complete
In Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean), a crafted IOCTL with code 0x22E1C0 might lead to kernel data leaks. Because the leak occurs at the driver level, an attacker can use this vulnerability to leak some critical information about the machine such as nt!ExpPoolQuotaCookie.
38 CVE-2017-6412 384 2017-03-30 2017-04-15
6.8
None Remote Medium Not required Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310.
39 CVE-2017-6184 77 2017-03-30 2017-04-04
6.5
None Remote Low ??? Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via the token parameter, aka NSWA-1303.
40 CVE-2017-6183 77 2017-03-30 2017-04-04
6.5
None Remote Low ??? Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's configuration utilities for adding (and detecting) Active Directory servers was vulnerable to remote command injection, aka NSWA-1314.
41 CVE-2017-6182 78 2017-03-30 2019-10-03
7.5
None Remote Low Not required Partial Partial Partial
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
42 CVE-2017-6008 119 Overflow 2017-09-13 2017-10-29
4.6
None Local Low Not required Partial Partial Partial
A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to escalate privileges via a malformed IOCTL call.
43 CVE-2017-6007 119 Overflow 2017-09-13 2017-09-21
4.9
None Local Low Not required None None Complete
A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the HitmanPro.Alert solution and Sophos Clean) allows local users to crash the OS via a malformed IOCTL call.
44 CVE-2016-9554 77 Exec Code 2017-01-28 2017-03-13
9.0
None Remote Low ??? Complete Complete Complete
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account.
45 CVE-2016-9553 77 2017-01-28 2017-03-08
9.0
None Remote Low ??? Complete Complete Complete
The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses from accessing the device. The device doesn't properly escape the information passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function which allows for system commands to be injected into the device. The code erroneously suggests that the information handled is protected by utilizing the variable name 'escapedips' - however this was not the case. The Sophos ID is NSWA-1258.
46 CVE-2016-9038 362 Mem. Corr. 2018-04-24 2022-04-19
4.4
None Local Medium Not required Partial Partial Partial
An exploitable double fetch vulnerability exists in the SboxDrv.sys driver functionality of Invincea-X 6.1.3-24058. A specially crafted input buffer and race condition can result in kernel memory corruption, which could result in privilege escalation. An attacker needs to execute a special application locally to trigger this vulnerability.
47 CVE-2016-8732 275 2018-04-24 2022-04-19
4.6
None Local Low Not required Partial Partial Partial
Multiple security flaws exists in InvProtectDrv.sys which is a part of Invincea Dell Protected Workspace 5.1.1-22303. Weak restrictions on the driver communication channel and additional insufficient checks allow any application to turn off some of the protection mechanisms provided by the Invincea product.
48 CVE-2016-7442 200 +Info 2016-10-03 2018-10-09
2.1
None Local Low Not required Partial None None
The Frontend component in Sophos UTM with firmware 9.405-5 and earlier allows local administrators to obtain sensitive password information by reading the "value" field of the proxy user settings in "system settings / scan settings / anti spam" configuration tab.
49 CVE-2016-7397 200 +Info 2016-10-03 2018-10-09
2.1
None Local Low Not required Partial None None
The Frontend component in Sophos UTM with firmware 9.405-5 and earlier allows local administrators to obtain sensitive password information by reading the "value" field of the SMTP user settings in the notifications configuration tab.
50 CVE-2016-6597 254 2016-08-10 2018-10-09
5.0
None Remote Low Not required Partial None None
Sophos EAS Proxy before 6.2.0 for Sophos Mobile Control, when Lotus Traveler is enabled, allows remote attackers to access arbitrary web-resources from the backend mail system via a request for the resource, aka an Open Reverse Proxy vulnerability.
Total number of vulnerabilities : 112   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.