CVE-2019-18860
published 2020-03-20CVE-2019-18860: Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
PriorityP430medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
5.50%
91.8th percentile
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | squid | < squid 4.9-1 (bookworm) | squid 4.9-1 (bookworm) |
| opensuse | leap | — | — |
| squid-cache | squid | < 4.9 | 4.9 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.9-1 | 4.9-1 |
| squid | squid | >= 0 < 4.10-1ubuntu1.1 | 4.10-1ubuntu1.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Squid vulnerabilities
vendor_ubuntu·2020-05-13·CVSS 9.8
CVE-2019-12519 [CRITICAL] Squid vulnerabilities
Title: Squid vulnerabilities
Summary: Several security issues were fixed in Squid.
Jeriko One discovered that Squid incorrectly handled certain Edge Side
Includes (ESI) responses. A malicious remote server could cause Squid to
crash, possibly poison the cache, or possibly execute arbitrary code.
(CVE-2019-12519, CVE-2019-12521)
It was discovered that Squid incorrectly handled the hostname parameter to
cachemgr.cgi when certain browsers are used. A remote attacker could
possibly use this issue to inject HTML or invalid characters in the
hostname parameter. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, and Ubuntu 19.10. (CVE-2019-18860)
Clément Berthaux and Florian Guilbert discovered that Squid incorrectly
handled Digest Authentication nonce values. A remote attacker coul
Red Hat
squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour
vendor_redhat·2019-11-03·CVSS 6.1
CVE-2019-18860 [MEDIUM] CWE-20 squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour
squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
A flaw was found in squid. Squid, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way.
Mitigation: The cachemgr.cgi script is not used by default. If you've set this up manually and are worried about this issue, remove it from your server.
Package: squid (Red Hat Enterprise Linux 10) - Under investigation
Package: squid (Red Hat Enterprise Linux 5) - Not affected
Package: squid (Red Hat Enterprise Linux 6) - Out of support scope
Package: squid34 (Red Hat Enterprise Linux 6) - Out of
Debian
CVE-2019-18860: squid - Squid before 4.9, when certain web browsers are used, mishandles HTML in the hos...
vendor_debian·2019·CVSS 6.1
CVE-2019-18860 [MEDIUM] CVE-2019-18860: squid - Squid before 4.9, when certain web browsers are used, mishandles HTML in the hos...
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
Scope: local
bookworm: resolved (fixed in 4.9-1)
bullseye: resolved (fixed in 4.9-1)
forky: resolved (fixed in 4.9-1)
sid: resolved (fixed in 4.9-1)
trixie: resolved (fixed in 4.9-1)
GHSA
GHSA-f3c4-4h69-w2fp: Squid before 4
ghsa_unreviewed·2022-05-24
CVE-2019-18860 [MEDIUM] CWE-74 GHSA-f3c4-4h69-w2fp: Squid before 4
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
OSV
squid, squid3 vulnerabilities
osv·2020-05-13·CVSS 9.8
CVE-2019-12519 [CRITICAL] squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
Jeriko One discovered that Squid incorrectly handled certain Edge Side
Includes (ESI) responses. A malicious remote server could cause Squid to
crash, possibly poison the cache, or possibly execute arbitrary code.
(CVE-2019-12519, CVE-2019-12521)
It was discovered that Squid incorrectly handled the hostname parameter to
cachemgr.cgi when certain browsers are used. A remote attacker could
possibly use this issue to inject HTML or invalid characters in the
hostname parameter. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04
LTS, and Ubuntu 19.10. (CVE-2019-18860)
Clément Berthaux and Florian Guilbert discovered that Squid incorrectly
handled Digest Authentication nonce values. A remote attacker could
use this issue to replay nonce values, or possibly e
OSV
CVE-2019-18860: Squid before 4
osv·2020-03-20·CVSS 6.1
CVE-2019-18860 [MEDIUM] CVE-2019-18860: Squid before 4
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.htmlhttps://github.com/squid-cache/squid/pull/504https://github.com/squid-cache/squid/pull/505https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://usn.ubuntu.com/4356-1/https://www.debian.org/security/2020/dsa-4732http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.htmlhttp://www.openwall.com/lists/oss-security/2025/11/04/7http://www.openwall.com/lists/oss-security/2025/11/05/1http://www.openwall.com/lists/oss-security/2025/11/05/7https://github.com/squid-cache/squid/pull/504https://github.com/squid-cache/squid/pull/505https://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlhttps://usn.ubuntu.com/4356-1/https://www.debian.org/security/2020/dsa-4732
2020-03-20
Published