This week we started the rollout of another update to the Sophos Web Appliance. Version 220.127.116.11 is an important update that fixes a number of vulnerabilities that were reported to Sophos recently by security researchers Russell Sanford at Critical Start and Kapil Khot of the Qualys Security Research Team. Customers should all receive this update by the middle of next week.
One of the issues describes a way that an attacker could capture and reuse a login session from a valid user. The potential seriousness of this issue was mitigated by the fact that the attacker would have to connect from the same IP address the captured login session was using, so they would need to be actually connected to the same network.
The other issues allowed remote command injection via URL parameters or form fields and required a valid logged-in Administrator session in order to exploit them.
Sophos thanks the researchers for their work and for their help in making our products more secure.
The vulnerabilities were registered at MITRE with the following CVE designations:
For more information, check out the Release Notes.