The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.
Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls”.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
The vendor has released patches to address this vulnerability:
“The patches were released as part of SFOS 16.05.5 MR5:
Our internal bug number was NC-18958, mentioned in the changelog”