A malicious website could execute code remotely in Sophos Connect Client before version 2.1.
sophos connect