CVE-2022-48309: 
NixOS vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was identified in Sophos Connect versions older than 2.2.90. This vulnerability was assigned CVE-2022-48309 and was publicly disclosed on March 1, 2023. The vulnerability affects Sophos Connect client versions 2.x prior to version 2.2.90 (NVD CVE, MITRE CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), requires user interaction (UI:R), has unchanged scope (S:U), and can impact confidentiality at a low level (C:L) with no impact on integrity (I:N) or availability (A:N) (NVD CVE).

The vulnerability allows malicious websites to retrieve logs and technical support archives from affected Sophos Connect installations. This could potentially lead to unauthorized access to sensitive information contained within these logs and archives (NVD CVE).

The recommended mitigation is to upgrade Sophos Connect to version 2.2.90 or later, which contains fixes for this vulnerability (NVD CVE).