________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2023:6
________________________________________________________________
Advisory ID: | SQUID-2023:6 (CVE-2019-18860)
Date: | November 5, 2025
Summary: | Cross Site Scripting in cachemgr.cgi
Affected versions: | Squid 2.x -> 2.7.STABLE9
| Squid 3.x -> 3.5.28
| Squid 4.x -> 4.17
| Squid 5.x -> 5.9
| Squid 6.x -> 6.14
________________________________________________________________
Problem Description:
Due to an Improper Neutralization of Input During Web Page
Generation bug Squid cachemgr.cgi tool is vulnerable to a
Cross-Site Scripting attack.
________________________________________________________________
Severity:
This problem allows a remote attacker to perform a Cross-Site
scripting attack against clients or administrators with access
to the cachemgr.cgi reporting.
This attack is limited to cachemgr.cgi.
________________________________________________________________
Updated Packages:
The cachemgr.cgi tool has been removed (EOL) by Squid version 7
Patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 6 and older:
<https://github.com/squid-cache/squid/commit/d94dbed6c700faeded8c4175f2a8d0f71c15755b>
Squid 4.8 and older also require:
<https://github.com/squid-cache/squid/commit/5a90b4ce64c346ba7f317a278ba601091d9de076>
If you are using a prepackaged version of Squid then please
refer to the package vendor for availability information on
updated packages.
________________________________________________________________
Determining if your version is vulnerable:
All unpatched cachemgr.cgi are vulnerable.
________________________________________________________________
Workaround:
Fetch manager reports directly from Squid. For example;
http://localhost:3128/squid-internal-mgr/menu
________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the <[email protected]> mailing list is
your primary support point. For subscription details see
<http://www.squid-cache.org/Support/mailing-lists.html>.
For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
<http://bugs.squid-cache.org/>.
For reporting of security sensitive bugs send an email to the
<[email protected]> mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
________________________________________________________________
Credits:
This vulnerability was discovered by Aaron Costello
Additional vectors discovered by Stefan Cornelius of RedHat.
Initial fix by Aaron Costello
________________________________________________________________
Revision history:
2019-10-18 20:15:14 UTC Initial Report
2019-11-03 16:22:22 UTC Initial Patches Released
2020-03-31 11:07:35 UTC Additional Report
________________________________________________________________
END
