Lucene search

SophosCVELIST:CVE-2022-4901

HistoryMar 01, 2023 - 12:00 a.m.

CVE-2022-4901

2023-03-0100:00:00

Sophos

www.cve.org

xss

sophos connect

vpn configuration

javascript

security vulnerability

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

32.1%

JSON

Multiple stored XSS vulnerabilities in Sophos Connect versions older than 2.2.90 allow Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim.

CNA Affected

[
  {
    "vendor": "Sophos",
    "product": "Sophos Connect Client",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "2.2.90",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

www.sophos.com/en-us/security-advisories/sophos-sa-20230301-scc-csrf

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

32.1%

JSON

Related for CVELIST:CVE-2022-4901