ASA-2019-00455 – Squid: Multiple Cross-Site Scripting issues in cachemgr.cgi

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00455

Identifier(s)

ASA-2019-00455, CVE-2019-13345, SQUID-2019:6

Title

Multiple Cross-Site Scripting issues in cachemgr.cgi

Vendor(s)

The Squid project

Product(s)

Squid

Affected version(s)

Squid 2.x all releases
Squid 3.x -> 3.5.28
Squid 4.x -> 4.7

Fixed version(s)

Squid 4.8

Proof of concept

Unknown

Description

Due to incorrect input handling Squid cachemgr.cgi tool is vulnerable to multiple Cross-Site Scripting attacks.

This allows a malicious server to embed URLs in its content such that user credentials and other information can be extracted from a client or administrator with access to the Squid cachemgr.cgi tool URL.

Technical details

Unknown

Credits

Jeriko One

Reference(s)

Squid Proxy Cache Security Update Advisory SQUID-2019:6
http://www.squid-cache.org/Advisories/SQUID-2019_6.txt

CVE-2019-13345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345

CVE-2019-13345
https://nvd.nist.gov/vuln/detail/CVE-2019-13345

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 18, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.