SQL Injection Vulnerability in Sophos XG Firewall by Sophos
CVE-2020-15504

9.8CRITICAL

Key Information:

Vendor: Sophos
Status: Xg Firewall Firmware
Vendor: CVE Published:; 10 July 2020

Summary

A SQL injection vulnerability exists within the user and admin web interfaces of the Sophos XG Firewall, enabling attackers to execute arbitrary code remotely. This flaw affects versions of the firewall prior to v18.0 MR1 and poses significant risks to system integrity and data security. A remedy has been introduced in the re-release of XG Firewall v18 MR-1 (MR-1-Build396), and users are advised to update to the patched versions immediately.

References

https://community.sophos.com/b/security-blog/posts/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 10, 2020
Vulnerability Reserved
Jul 2, 2020