Sophos has released security patches to address seven vulnerabilities in Sophos Firewall version 19.5, including some arbitrary code execution bugs.
The most severe issue addressed by the security vendor is a critical code injection vulnerability tracked as CVE-2022-3236.
“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin.” reads the advisory.
In September Sophos warned of this critical code injection security vulnerability (CVE-2022-3236) affecting its Firewall product which is being exploited in the wild. Sophos confirmed that this vulnerability was being used to target a small set of specific organizations, primarily in the South Asia region.
The security vendor also addressed three vulnerabilities rated as ‘high’ severity, below is the list of these issues:
The company also fixed two flaws, rated as medium severity, respectively a stored XSS vulnerability (CVE-2022-3709) and a post-auth read-only SQL injection flaw (CVE-2022-3711).
The seventh issue addressed by the company is a post-auth read-only SQL injection vulnerability, tracked as CVE-2022-3710, rated as low severity.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, code execution flaws)