cbcvebase.
CVE-2019-13345
published 2019-07-05

CVE-2019-13345: The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.

PriorityP346medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
74.48%
99.4th percentile
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiansquid< squid 4.8-1 (bookworm)squid 4.8-1 (bookworm)
squid-cachesquid<= 4.7
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1
squidsquid>= 0 < 4.8-14.8-1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/cachemgr.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Squid Proxy user_name and auth Reflected Cross-Site Scripting (CVE-2019-13345)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/cachemgr.cgi|3f|"; fast_pattern; startswith; pcre:"/^.+(?:user_name|auth)\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onerror|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3d)/Ri"; reference:url,www.sonicwall.com/blog/cve-2019-13345-squid-proxy-cross-site-scripting-vulnerability; reference:cve,2019-13345; classtype:web-application-attack; sid:2059281; rev:1; metadata:affected_product Squid, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_01_16, cve CVE_2019_13345, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • XSS is delivered via the `user_name` or `auth` GET parameters in requests to cachemgr.cgi. Look for those parameter names carrying script-injection payloads (e.g., <script>, event handlers such as onload/onerror/onclick, or style= attributes).
  • Detection should focus on HTTP GET requests to /cgi-bin/cachemgr.cgi where the query string contains user_name= or auth= followed by XSS payloads including script tags, mouse/key/focus/load/error event handlers, or inline style= directives.
  • The attack is classified as a reflected (non-persistent) XSS targeting the Squid cachemgr.cgi CGI endpoint, exploitable by a remote unauthenticated attacker.
  • ·All Squid versions through 4.7 are vulnerable; the fix was introduced in version 4.8. Ensure deployed Squid instances are upgraded to 4.8 or later.
  • ·The Snort/Suricata rule (sid:2059281) includes a `tls_state TLSDecrypt` metadata tag, meaning it will only fire on TLS traffic if SSL inspection (SSLDecrypt) is enabled on the sensor.
  • ·Red Hat Enterprise Linux 5 and 6 ship affected squid versions but are out of support scope and will not receive patches from Red Hat.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_ubuntu7.5HIGH
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.