Remote Command Injection Vulnerability in Sophos Web Appliance
CVE-2016-9554
Summary
The Sophos Web Appliance is susceptible to a remote command injection vulnerability found in its web administrative interface. This weakness exists in the MgrDiagnosticTools.php component, which is utilized for diagnostic tests via the UNIX wget utility. The application fails to properly sanitize the user-supplied input in the 'url' parameter before passing it to the executeCommand function. As a result, an attacker can exploit this flaw by injecting malicious commands, potentially gaining unauthorized shell access to the system with the permissions of the 'spiderman' user account. This vulnerability emphasizes the importance of input validation and secure coding practices to protect against such exploits.
References
EPSS Score
9% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved