Lucene search

SophosCVE-2020-36692

HistoryApr 04, 2023 - 10:15 a.m.

CVE-2020-36692

2023-04-0410:15:07

CWE-79

Sophos

web.nvd.nist.gov

cve-2020-36692

reflected xss

sophos web appliance

report scheduler

security vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA.

Affected configurations

Nvd

Node

sophosweb_applianceRange<4.3.10.4

VendorProductVersionCPE
sophosweb_appliance*cpe:2.3:a:sophos:web_appliance:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sophos	web_appliance	*	cpe:2.3:a:sophos:web_appliance::::::::

CNA Affected

[
  {
    "vendor": "Sophos",
    "product": "Sophos Web Appliance",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "4.3.10.4",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.8%

JSON

Related for CVE-2020-36692