"The Sophos Email Appliance (v220.127.116.11) had multiple vulnerabilities which in combination could allow the system to be fully compromised, giving an attacker both administrative access to the UI, and a root shell on the underlying operating system," Williams said in the paper. "These included various instances of command injection, XSS with session-hijacking, CSRF, session-fixation, etc."
Sophos addressed those flaws in January 2013, along with other issues discovered during its own security review of the product. Williams commended Sophos for the auto-update feature built into its appliances, which he said is not the norm in products from other vendors.
Sign up for MIS Asia eNewsletters.