Lucene search

SophosCVELIST:CVE-2020-36692

HistoryApr 04, 2023 - 12:00 a.m.

CVE-2020-36692

2023-04-0400:00:00

Sophos

www.cve.org

cve-2020-36692

reflected xss

post vulnerability

sophos web appliance

version 4.3.10.4

execution of javascript code

victim browser

malicious form

manual submission

logged in

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

24.8%

JSON

A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA.

CNA Affected

[
  {
    "vendor": "Sophos",
    "product": "Sophos Web Appliance",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "4.3.10.4",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

24.8%

JSON

Related for CVELIST:CVE-2020-36692