CVE-2021-36807

CWE-89 — SQL Injection3 documents3 sources

Severity

8.8HIGH

EPSS

0.2%

top 57.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sophos SG UTM Sophos Unified Threat Management Up2date

Timeline

PublishedNov 26

Latest updateNov 27

Description

An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9.708 MR8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sophos/sg_utmunspecified — 9.708 MR8

▶NVDsophos/unified_threat_management_up2date< 9.708

🔴Vulnerability Details

GHSA

GHSA-3rf7-6c99-mx43: An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9↗2021-11-27

▶

CVEList

CVE-2021-36807: An authenticated user could potentially execute code via an SQLi vulnerability in the user portal of SG UTM before version 9↗2021-11-26

▶