From squid3 at treenet.co.nz Tue Nov 4 22:24:58 2025 From: squid3 at treenet.co.nz (Amos Jeffries) Date: Wed, 5 Nov 2025 11:24:58 +1300 Subject: [squid-announce] [ADVISORY] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi Message-ID: ________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2023:6 ________________________________________________________________ Advisory ID: | SQUID-2023:6 (CVE-2019-18860) Date: | November 5, 2025 Summary: | Cross Site Scripting in cachemgr.cgi Affected versions: | Squid 2.x -> 2.7.STABLE9 | Squid 3.x -> 3.5.28 | Squid 4.x -> 4.17 | Squid 5.x -> 5.9 | Squid 6.x -> 6.14 ________________________________________________________________ Problem Description: Due to an Improper Neutralization of Input During Web Page Generation bug Squid cachemgr.cgi tool is vulnerable to a Cross-Site Scripting attack. ________________________________________________________________ Severity: This problem allows a remote attacker to perform a Cross-Site scripting attack against clients or administrators with access to the cachemgr.cgi reporting. This attack is limited to cachemgr.cgi. ________________________________________________________________ Updated Packages: The cachemgr.cgi tool has been removed (EOL) by Squid version 7 Patches addressing this problem for the stable releases can be found in our patch archives: Squid 6 and older: Squid 4.8 and older also require: If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. ________________________________________________________________ Determining if your version is vulnerable: All unpatched cachemgr.cgi are vulnerable. ________________________________________________________________ Workaround: Fetch manager reports directly from Squid. For example; http://localhost:3128/squid-internal-mgr/menu ________________________________________________________________ Contact details for the Squid project: For installation / upgrade support on binary packaged versions of Squid: Your first point of contact should be your binary package vendor. If you install and build Squid from the original Squid sources then the mailing list is your primary support point. For subscription details see . For reporting of non-security bugs in the latest STABLE release the squid bugzilla database should be used . For reporting of security sensitive bugs send an email to the mailing list. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. ________________________________________________________________ Credits: This vulnerability was discovered by Aaron Costello Additional vectors discovered by Stefan Cornelius of RedHat. Initial fix by Aaron Costello ________________________________________________________________ Revision history: 2019-10-18 20:15:14 UTC Initial Report 2019-11-03 16:22:22 UTC Initial Patches Released 2020-03-31 11:07:35 UTC Additional Report ________________________________________________________________ END