Description
Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component.
Exploits (1)
References (2)
Core 2
Core References
Exploit x_refsource_misc
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt
Vendor Advisory x_refsource_confirm
http://www.sophos.com/en-us/support/knowledgebase/118969.aspx
Scores
EPSS
0.0097
EPSS Percentile
76.7%
Details
CWE
CWE-79
Status
published
Products (2)
sophos/web_appliance
sophos/web_appliance_firmware
< 3.7.8.1
Published
Mar 18, 2014
Tracked Since
Feb 18, 2026