Want to get paid for a vulnerability similar to this one?
Contact us at: firstname.lastname@example.org
See our full scope at: https://blogs.securiteam.com/index.php/product_scope
The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17.
Sophos XG Firewall “provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls.”
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Sophos was informed of the vulnerability, their response was:
- On December 11th, we both received and acknowledged your submission of the issue
- On December 12th, we confirmed the issue and started working on a fix
- On December 20th, we released the official fix in XGv17 MR3: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-3-mr3-released< /li>
- On December 29th, we finished the automatic distribution of the fix backports to all previous releases of XGv16, v16.5, v17
- On December 31st, we published our security advisory with the acknowledgement as per your request: https://community.sophos.com/kb/en-us/128024?elqTrackId=3a6db4656f654d65b352f526d26c6a17&elq=1514ab02d2764e8cb73e6b0bdbe7e7be&elqaid=2739&elqat=1&elqCampaignId=27053