CVE-2019-13345
published 2019-07-05CVE-2019-13345: The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
PriorityP346medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
74.48%
99.4th percentile
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | squid | < squid 4.8-1 (bookworm) | squid 4.8-1 (bookworm) |
| squid-cache | squid | <= 4.7 | — |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
| squid | squid | >= 0 < 4.8-1 | 4.8-1 |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/cachemgr.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/cachemgr.cgi|3f|"; fast_pattern; startswith; pcre:"/^.+(?:user_name|auth)\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,www.sonicwall.com/blog/cve-2019-13345-squid-proxy-cross-site-scripting-vulnerability; reference:cve,2019-13345; classtype:web-application-attack; sid:2059281; rev:1; metadata:affected_product Squid, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_01_16, cve CVE_2019_13345, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →XSS is delivered via the `user_name` or `auth` GET parameters in requests to cachemgr.cgi. Look for those parameter names carrying script-injection payloads (e.g., <script>, event handlers such as onload/onerror/onclick, or style= attributes). ↗
- →Detection should focus on HTTP GET requests to /cgi-bin/cachemgr.cgi where the query string contains user_name= or auth= followed by XSS payloads including script tags, mouse/key/focus/load/error event handlers, or inline style= directives.
- →The attack is classified as a reflected (non-persistent) XSS targeting the Squid cachemgr.cgi CGI endpoint, exploitable by a remote unauthenticated attacker. ↗
- ·All Squid versions through 4.7 are vulnerable; the fix was introduced in version 4.8. Ensure deployed Squid instances are upgraded to 4.8 or later. ↗
- ·The Snort/Suricata rule (sid:2059281) includes a `tls_state TLSDecrypt` metadata tag, meaning it will only fire on TLS traffic if SSL inspection (SSLDecrypt) is enabled on the sensor.
- ·Red Hat Enterprise Linux 5 and 6 ship affected squid versions but are out of support scope and will not receive patches from Red Hat. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_ubuntu7.5HIGH
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2019-07-17·CVSS 7.5
CVE-2018-1000024 [HIGH] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
USN-4059-1 and USN-3557-1 fixed several vulnerabilities in Squid. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Louis Dion-Marcil discovered that Squid incorrectly handled certain
Edge Side Includes (ESI) responses. A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service.
(CVE-2018-1000024)
Louis Dion-Marcil discovered that Squid incorrectly handled certain
Edge Side Includes (ESI) responses. A malicious remote server could
possibly cause Squid to crash, resulting in a denial of service.
(CVE-2018-1000027)
It was discovered that Squid incorrectly handled the cachemgr.cgi web
module. A remote attacker could possibly
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2019-07-15·CVSS 5.9
CVE-2018-19132 [MEDIUM] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
It was discovered that Squid incorrectly handled certain SNMP packets. A
remote attacker could possibly use this issue to cause memory consumption,
leading to a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 18.04 LTS. (CVE-2018-19132)
It was discovered that Squid incorrectly handled the cachemgr.cgi web
module. A remote attacker could possibly use this issue to conduct
cross-site scripting (XSS) attacks. (CVE-2019-13345)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
squid: XSS via user_name or auth parameter in cachemgr.cgi
vendor_redhat·2019-07-05·CVSS 6.1
CVE-2019-13345 [MEDIUM] CWE-79 squid: XSS via user_name or auth parameter in cachemgr.cgi
squid: XSS via user_name or auth parameter in cachemgr.cgi
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
Statement: This issue affects the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8.
Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updat
Debian
CVE-2019-13345: squid - The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or au...
vendor_debian·2019·CVSS 6.1
CVE-2019-13345 [MEDIUM] CVE-2019-13345: squid - The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or au...
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
Scope: local
bookworm: resolved (fixed in 4.8-1)
bullseye: resolved (fixed in 4.8-1)
forky: resolved (fixed in 4.8-1)
sid: resolved (fixed in 4.8-1)
trixie: resolved (fixed in 4.8-1)
GHSA
GHSA-3cp8-63m9-w97j: The cachemgr
ghsa_unreviewed·2022-05-24
CVE-2019-13345 [MEDIUM] CWE-79 GHSA-3cp8-63m9-w97j: The cachemgr
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
OSV
squid, squid3 vulnerabilities
osv·2019-07-15·CVSS 5.9
CVE-2018-19132 [MEDIUM] squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
It was discovered that Squid incorrectly handled certain SNMP packets. A
remote attacker could possibly use this issue to cause memory consumption,
leading to a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 18.04 LTS. (CVE-2018-19132)
It was discovered that Squid incorrectly handled the cachemgr.cgi web
module. A remote attacker could possibly use this issue to conduct
cross-site scripting (XSS) attacks. (CVE-2019-13345)
OSV
CVE-2019-13345: The cachemgr
osv·2019-07-05·CVSS 6.1
CVE-2019-13345 [MEDIUM] CVE-2019-13345: The cachemgr
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
Suricata
ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)
suricata·2025-01-16·CVSS 6.1
CVE-2019-13345 [MEDIUM] ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)
ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/cachemgr.cgi|3f|"; fast_pattern; startswith; pcre:"/^.+(?:user_name|auth)\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,www.sonicwall.com/blog/cve-2019-13345-squid-proxy-cross-site-scripting-vulnerability; reference:cve,2019-13345; classtype:web-application-attack; sid:2059281; rev:1; metadata:affected_product Squid, attack_target Netwo
No public exploits indexed.
Bugzilla
CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi [fedora-all]
bugzilla·2019-07-08·CVSS 6.1
CVE-2019-13345 [MEDIUM] CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi [fedora-all]
CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi
bugzilla·2019-07-08·CVSS 6.1
CVE-2019-13345 [MEDIUM] CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi
CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi
A vulnerability was found in cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
Reference:
https://bugs.squid-cache.org/show_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
Discussion:
Created squid tracking bugs for this issue:
Affects: fedora-all [bug 1727745]
---
The cachemgr.cgi is not used by default. You are only affected if you've set this up manually.
---
Statement:
This issue affects the versions of squid as shipped with Red Hat Enterprise Linux 5, 6, 7, and 8.
Red Hat Enterprise Linux 5 is now in Extended Life Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional i
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.htmlhttp://www.securityfocus.com/bid/109095https://access.redhat.com/errata/RHSA-2019:3476https://bugs.squid-cache.org/show_bug.cgi?id=4957https://github.com/squid-cache/squid/pull/429https://lists.debian.org/debian-lts-announce/2019/07/msg00006.htmlhttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/https://seclists.org/bugtraq/2019/Aug/42https://usn.ubuntu.com/4059-1/https://usn.ubuntu.com/4059-2/https://www.debian.org/security/2019/dsa-4507http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00067.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00053.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00056.htmlhttp://www.securityfocus.com/bid/109095https://access.redhat.com/errata/RHSA-2019:3476https://bugs.squid-cache.org/show_bug.cgi?id=4957https://github.com/squid-cache/squid/pull/429https://lists.debian.org/debian-lts-announce/2019/07/msg00006.htmlhttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPXN2CLAGN5QSQBTOV5IGVLDOQSRFNTZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X2ERPHSPUGOYVVRPQRASQBFGS2EJISFC/https://seclists.org/bugtraq/2019/Aug/42https://usn.ubuntu.com/4059-1/https://usn.ubuntu.com/4059-2/https://www.debian.org/security/2019/dsa-4507
2019-07-05
Published