Sophos XG Web Application Firewall Cross-Site Scripting Vulnerability [CVE-2017-18014]

A vulnerability in the Web Application Firewall (WAF) component of the Sophos XG Firewall operating system (SFOS) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on a targeted system.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by persuading a user to follow a link that injects malicious script code into the WAF logs page of a targeted system. After the user visits the WAF logs page, the attacker could perform unauthorized actions in the webadmin security context and gain full root ssh shell access to the targeted system, which could result in a complete system compromise.

Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available.

Sophos has confirmed the vulnerability and released software updates.


To exploit this vulnerability, the attacker may use misleading language or instructions to persuade a user to access a link that submits malicious input to the affected software.

Although a successful exploit of this vulnerability could allow an attacker to conduct an XSS attack, the attacker could also have the ability to gain full root ssh shell access after exploiting this vulnerability.

This vulnerability does not affect systems that have the WAF component disabled.

Administrators are advised to apply the appropriate updates.
Users should verify that unsolicited links are safe to follow.
Administrators are advised to monitor affected systems.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors.
Vendor Announcements
Sophos has released a security advisory at the following link: Article 128024
Fixed Software
Sophos has released software updates, which are available to customers via automatic updates. Customers are advised to apply the updates manually if they have changed their default settings and are not receiving automatic updates.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: