CVE-2013-2642

Published: Mar 18, 2014Modified: May 6, 2026

9.3

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability: 8.6 / Impact: 10.0

Source: NVD

Description

Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to execute arbitrary commands via shell metacharacters in the client-ip parameter to the Block page, when using the user_workstation variable in a customized template, and remote authenticated users to execute arbitrary commands via shell metacharacters in the (2) url parameter to the Diagnostic Tools functionality or (3) entries parameter to the Local Site List functionality.

Affected (2)

Products: Sophos: Web Appliance Firmware, Web Appliance

2 products

Web Appliance Firmware

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sophos Web Appliance Firmware	Up to 3.7.8.1
Sophos Web Appliance	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

http://www.sophos.com/en-us/support/knowledgebase/118969.aspx

Source: cve@mitre.org

Vendor Advisory

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt

Source: cve@mitre.org

Exploit

http://www.sophos.com/en-us/support/knowledgebase/118969.aspx

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.