.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
High
Resolved Post-auth SQLi in SG UTM User Portal (CVE-2021-36807)
CVE(N)
CVE-2021-36807
PRODUIT(S)
Sophos UTM
Mis à jour
2021 Nov 26
Version de l'article
1
Publié
2021 Nov 26
ID de publication
sophos-sa-20211126-sg-sqli
Solution alternative
No
Overview
A post-auth SQL injection vulnerability in the user portal of SG UTM was discovered by Sophos during internal security testing. The vulnerability has been fixed.
The remediation prevented an authenticated user from being able to potentially execute code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
As a precaution, SUM users are advised to disable the user portal.
Applies to the following Sophos product(s) and version(s)
- Sophos SG UTM
Remediation
- Fix included in SG UTM v9.708 MR8 on November 24, 2021
- Users of older versions of SG UTM are required to upgrade to receive this fix
- Sophos always recommends that SG UTM customers upgrade to the latest available release at their earliest opportunity
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.