{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-22T14:06:05.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/squid-cache/squid/pull/504"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/squid-cache/squid/pull/505"}, {"name": "openSUSE-SU-2020:0623", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html"}, {"name": "USN-4356-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4356-1/"}, {"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"}, {"name": "DSA-4732", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4732"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2019-18860", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/squid-cache/squid/pull/504", "refsource": "CONFIRM", "url": "https://github.com/squid-cache/squid/pull/504"}, {"name": "https://github.com/squid-cache/squid/pull/505", "refsource": "MISC", "url": "https://github.com/squid-cache/squid/pull/505"}, {"name": "openSUSE-SU-2020:0623", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html"}, {"name": "USN-4356-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4356-1/"}, {"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"}, {"name": "DSA-4732", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4732"}]}}}, "adp": [{"title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/squid-cache/squid/pull/504"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/squid-cache/squid/pull/505"}, {"name": "openSUSE-SU-2020:0623", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html"}, {"name": "USN-4356-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4356-1/"}, {"name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"}, {"name": "DSA-4732", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4732"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/04/7"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/05/1"}, {"url": "http://www.openwall.com/lists/oss-security/2025/11/05/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-05T17:04:14.102Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18860", "datePublished": "2020-03-20T20:32:16.000Z", "dateReserved": "2019-11-11T00:00:00.000Z", "dateUpdated": "2025-11-05T17:04:14.102Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FFB5736-A0F8-4B03-ACAE-ED7CF02ECA9B", "versionEndExcluding": "4.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi."}, {"lang": "es", "value": "Squid versiones anteriores a 4.9, cuando determinados navegadores web son usados, maneja inapropiadamente HTML en el par\u00e1metro host (tambi\u00e9n se conoce como hostname) en el archivo cachemgr.cgi."}], "id": "CVE-2019-18860", "lastModified": "2025-11-05T17:15:33.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "[email protected]", "type": "Primary"}]}, "published": "2020-03-20T21:15:16.547", "references": [{"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/pull/504"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/pull/505"}, {"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4356-1/"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4732"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00018.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/11/04/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/11/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/11/05/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/pull/504"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/squid-cache/squid/pull/505"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4356-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4732"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "[email protected]", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4743", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "squid:4-8030020200828070549.30b713e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}], "bugzilla": {"description": "squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour", "id": "1817121", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1817121"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-20->CWE-79", "details": ["Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.", "A flaw was found in squid. Squid, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way."], "mitigation": {"lang": "en:us", "value": "The cachemgr.cgi script is not used by default. If you've set this up manually and are worried about this issue, remove it from your server."}, "name": "CVE-2019-18860", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "squid34", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "squid", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2019-11-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-18860\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-18860\nhttps://github.com/squid-cache/squid/pull/504"], "threat_severity": "Moderate"}