Sophos Connect v2.2 MR1 Resolves Security Vulnerabilities
Overview
The Sophos Connect client v2.2 MR1 (2.2.90) release fixes the following security issues (users of older versions are required to upgrade.)
CVE ID |
Description |
Severity |
---|---|---|
CVE-2022-48309 |
A CSRF vulnerability allowing malicious websites to retrieve logs and technical support archives was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos would like to thank Mario Melcher - Information Security Professional at SEITENBAU GmbH - for responsibly disclosing this issue to Sophos. |
MEDIUM |
CVE-2022-48310 |
An information disclosure vulnerability allowing sensitive key material to be included in technical support archives was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. Sophos would like to thank Mario Melcher - Information Security Professional at SEITENBAU GmbH - for responsibly disclosing this issue to Sophos. |
MEDIUM |
CVE-2022-4901 |
Multiple stored XSS vulnerabilities allowing execution of Javascript code in the local UI were discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. The victim must be tricked into manually loading a malicious VPN configuration file for the attack to succeed. |
LOW |
Notes
-
Action required: Sophos strongly advises upgrading immediately as the CSRF and information disclosure vulnerabilities (CVE-2022-48309 and CVE-2022-48310) compound each other
-
Sophos always recommends that Sophos Connect users upgrade to the latest release at their earliest opportunity
Related information
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48309
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48310
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4901
-
https://support.sophos.com/support/s/article/KB-000040793?language=en_US
-
https://www.sophos.com/en-us/support/downloads/utm-downloads