This week, Sophos released security patches that patch up a number of flaws in the Sophos Web Appliance, including a serious hole that allowed for code execution. The Sophos Web Appliance is a web security solution that enables managers to specify web access policies by people or groups and enforce them as appropriate from a single interface.
The warning page handler of the appliance contained the critical flaw, tracked as CVE-2023-1671 (CVSS score of 9.8), which could be exploited without authentication. According to Sophos, the flaw “allows execution of arbitrary code through a pre-auth command injection vulnerability in the warn-proceed handler.”