The Sophos XG Firewall is potentially affected by an XSS vulnerability in the jQuery library, referred to as CVE-2019-11358. This medium severity issue will be resolved in SFOS v18 GA.
Applies to the following Sophos product(s) and version(s) Sophos Firewall
The vulnerability CVE-2019-11358 outlines the possibility of an XSS attack.
CVSS score according to https://nvd.nist.gov/vuln/detail/CVE-2019-11358: 6.1 (MEDIUM).
At the time of writing, we believe that the XSS vulnerability cannot be exploited on the XG Firewall and there have been no reports suggesting otherwise. Regardless, a patch is available and can be requested directly from Support.
Note: The mitigation alternative to installing the patch is to disabling all services (Web Admin, User Portal) offered by the XG or restricting this to trusted networks only. However, this will stop the XG from listening on the ports associated with those services.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.