CVE-2017-18014

Name of the Vulnerable Software and Affected Versions: Sophos XG Firewall with SFOS versions prior to 17.0.3 MR3

Description: A persistent XSS issue was discovered in the Logging subsystem of Sophos XG Firewall. An unauthenticated user can trigger this issue in the WAF log page, located in the webadmin interface under Control Center -> Log Viewer, specifically in the filter option "Web Server Protection". The User-Agent parameter in the HTTP POST request is executed, allowing the execution of any action available to the webadmin of the firewall, such as creating a new user, enabling SSH, or adding an SSH authorized key.

Recommendations: For Sophos XG Firewall with SFOS versions prior to 17.0.3 MR3, update to version 17.0.3 MR3 or later to resolve the issue. As a temporary workaround, consider restricting access to the WAF log page in the webadmin interface to minimize the risk of exploitation. Avoid using the filter option "Web Server Protection" in the Log Viewer until the issue is resolved.