CVE-2019-18860

Name of the Vulnerable Software and Affected Versions Squid versions prior to 4.9 Squid versions 4.6 through 4.6-1+deb10u3 Squid versions 3.5.23-5+deb9u2 and earlier Squid version 4.10-alt1 Squid versions 4.16-1.5

Description Squid, a high-performance proxy caching server, is affected by multiple security issues. These include incorrect input validation and URL request handling, which could allow bypassing access restrictions for restricted HTTP servers and cause a denial-of-service. Additionally, the software mishandles HTML in the host parameter to cachemgr.cgi, potentially leading to cross-site scripting (XSS). The vulnerabilities can also result in cache poisoning and incomplete validation of hostnames in cachemgr.cgi. The cachemgr.cgi script is vulnerable due to improper handling of HTML in the host parameter when certain web browsers are used. The API endpoint /cachemgr.cgi is affected, with the host parameter being the vulnerable input.

Recommendations Upgrade to Squid version 4.9 or later. Upgrade to Squid version 4.6-1+deb10u3 or later. Upgrade to Squid version 3.5.23-5+deb9u2 or later. Upgrade to Squid version 4.10-alt1. Upgrade to Squid version 4.16-1.5.