CVE-2017-18014

12.01.2018, 17:29

An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" parameter in the HTTP POST request.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
sophos	sfos	𝑥 ≤ 17.0
sophos	sfos	17.0:mr1
sophos	sfos	17.0:mr2
sophos	sfos	17.0:mr3

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

http://seclists.org/fulldisclosure/2018/Jan/24

https://blogs.securiteam.com/index.php/archives/3612

https://community.sophos.com/kb/en-us/128024

https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-3-mr3-released

http://seclists.org/fulldisclosure/2018/Jan/24

https://blogs.securiteam.com/index.php/archives/3612

https://community.sophos.com/kb/en-us/128024

https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-3-mr3-released