Test ID:	1.3.6.1.4.1.25623.1.0.143765
Category:	Web Servers
Title:	Squid 3.5.18 - 3.5.28 / 4.0.10 - 4.7 Multiple Vulnerabilities (SQUID-2019:4)
Summary:	Squid is prone to multiple vulnerabilities.
Description:	Summary: Squid is prone to multiple vulnerabilities. Vulnerability Insight: Due to incorrect URL handling Squid is vulnerable to access control bypass, cache poisoning and cross-site scripting attacks when processing HTTP Request messages. Vulnerability Impact: A remote client can: - deliver crafted URLs to bypass cache manager security controls and retrieve confidential details about the proxy and traffic it is handling. - deliver crafted URLs which cause arbitrary content from one origin server to be stored in cache as URLs within another origin. This opens a window of opportunity for clients to be tricked into fetching and XSS execution of that content via side channels. Affected Software/OS: Squid proxy 3.5.18 through 3.5.28 and 4.0.10 through 4.7. Note: All Squid-4.x up to and including 4.7 without HTTPS support are NOT vulnerable. Solution: Update to version 4.8 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-12520 Debian Security Information: DSA-4682 (Google Search) https://www.debian.org/security/2020/dsa-4682 http://www.squid-cache.org/Versions/v4/ http://www.squid-cache.org/Versions/v4/changesets/ https://github.com/squid-cache/squid/commits/v4 https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html https://usn.ubuntu.com/4446-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-12524 https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt
Copyright	Copyright (C) 2020 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.