CVSS: 6.1EPSS: 5%CPEs: 8EXPL: 0CVE-2019-18860 – squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour
https://notcve.org/view.php?id=CVE-2019-18860
20 Mar 2020 — Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. Squid versiones anteriores a 4.9, cuando determinados navegadores web son usados, maneja inapropiadamente HTML en el parámetro host (también se conoce como hostname) en el archivo cachemgr.cgi. A flaw was found in squid. Squid, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way. Jeriko One disco... • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 22%CPEs: 9EXPL: 0CVE-2019-12528 – squid: Information Disclosure issue in FTP Gateway
https://notcve.org/view.php?id=CVE-2019-12528
04 Feb 2020 — An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes. Se detectó un problema en Squid versiones anteriores a 4.10. Permite a un servidor FTP diseñado desencadenar una divulgación de información confidencial de la memoria de la pila, tal y como la información asociada con las sesiones de otros usuarios o procesos que no son de Squid. A flaw ... • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2020-8517 – Gentoo Linux Security Advisory 202003-34
https://notcve.org/view.php?id=CVE-2020-8517
04 Feb 2020 — An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy. Se detectó un problema en Squid versiones anteriores a 4.10. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 44%CPEs: 9EXPL: 0CVE-2020-8450 – squid: Buffer overflow in reverse-proxy configurations
https://notcve.org/view.php?id=CVE-2020-8450
04 Feb 2020 — An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy. Se detectó un problema en Squid versiones anteriores a 4.10. Debido a una administración del búfer incorrecta, un cliente remoto puede causar un desbordamiento del búfer en una instancia de Squid que actúa como un proxy inverso. A flaw was found in squid. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 8%CPEs: 9EXPL: 0CVE-2020-8449 – squid: Improper input validation issues in HTTP Request processing
https://notcve.org/view.php?id=CVE-2020-8449
04 Feb 2020 — An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters. Se detectó un problema en Squid versiones anteriores a 4.10. Debido a una comprobación de entrada incorrecta, puede interpretar las peticiones HTTP diseñadas de manera no prevista para acceder a recursos del servidor prohibidos por parte de los filtros de seguridad anteriores. A flaw was found in squid. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00012.html • CWE-20: Improper Input Validation CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.4EPSS: 9%CPEs: 17EXPL: 0CVE-2019-18677 – squid: Cross-Site Request Forgery issue in HTTP Request processing
https://notcve.org/view.php?id=CVE-2019-18677
26 Nov 2019 — An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to. Se descubrió un problema en Squid versiones 2.x, 3.x y versiones 4.x hasta 4.8 cuando la configuración append_domain es usada (porque los caracteres añadidos no interactúan apropiadamente con las restric... • http://www.squid-cache.org/Advisories/SQUID-2019_9.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 72%CPEs: 18EXPL: 0CVE-2019-18679 – squid: Information Disclosure issue in HTTP Digest Authentication
https://notcve.org/view.php?id=CVE-2019-18679
26 Nov 2019 — An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation. This information reduces ASLR protections and may aid attackers isolating memory areas to target for remote code execution attacks. Se descubrió un problema en Squid versiones 2.x, 3.x y versiones 4.x hasta 4.8. • http://www.squid-cache.org/Advisories/SQUID-2019_11.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 19%CPEs: 22EXPL: 0CVE-2019-12529 – squid: Out of bounds read in Proxy-Authorization header causes DoS
https://notcve.org/view.php?id=CVE-2019-12529
11 Jul 2019 — An issue was discovered in Squid 2.x through 2.7.STABLE9, 3.x through 3.5.28, and 4.x through 4.7. When Squid is configured to use Basic Authentication, the Proxy-Authorization header is parsed via uudecode. uudecode determines how many bytes will be decoded by iterating over the input and checking its table. The length is then used to start decoding the string. There are no checks to ensure that the length it calculates isn't greater than the input buffer. This leads to adjacent memory being decoded as wel... • http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 6.1EPSS: 81%CPEs: 2EXPL: 1CVE-2019-13345 – squid: XSS via user_name or auth parameter in cachemgr.cgi
https://notcve.org/view.php?id=CVE-2019-13345
05 Jul 2019 — The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter. El modulo web del archivo cachemgr.cgi de Squid hasta versión 4.7, presenta un problema de tipo XSS por medio del parámetro user_name o auth. It was discovered that Squid incorrectly handled certain SNMP packets. A remote attacker could possibly use this issue to cause memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 20%CPEs: 1EXPL: 1CVE-2018-19131
https://notcve.org/view.php?id=CVE-2018-19131
09 Nov 2018 — Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors. Squid en versiones anteriores a la 4.4 tiene Cross-Site Scripting (XSS) mediante un certificado X.509 manipulado durante la generación de la página de error HTTP(S) para los errores de certificado. • https://github.com/JonathanWilbur/CVE-2018-19131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •