CVE-2022-4901

Name of the Vulnerable Software and Affected Versions Sophos Connect versions prior to 2.2.90

Description The issue allows Javascript code to run in the local UI via a malicious VPN configuration that must be manually loaded by the victim. This is achieved through multiple stored XSS vulnerabilities.

Recommendations For Sophos Connect versions prior to 2.2.90, update to version 2.2.90 or later to resolve the issue. As a temporary workaround, consider restricting the loading of VPN configurations to trusted sources until the update is applied.