14 DAY TRIAL // Security solutions provider Sophos has addressed several vulnerabilities identified by SEC Consult Vulnerability Lab experts in Sophos Web Appliance. The updated version, 3.7.8.2, was made available to all customers on April 1.
According to the advisory published by SEC Consult, the company has identified three vulnerabilities: an unauthenticated local file disclosure, OS command injections, and a reflected cross-site scripting (XSS) vulnerability.
The first issue allowed unauthenticated users to download arbitrary files, including clear text passwords and valid PHP session IDs.
The OS command injections could have been exploited by an administrative user, and in some cases, even unauthenticated users, to execute commands as a privileged customer.
Finally, the XSS security hole could have been leveraged for phishing attacks.
The issues were reported to Sophos on February 22. The security firm started rolling out updates on March 18 to a certain group of customers.