Vendor CVEs
Squidex
All CVEs
155 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-46857 | 0.00 | — | 0.01 | Dec 7, 2023 | Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is… | |||
| CVE-2023-49288 | 0.00 | — | 0.05 | Dec 4, 2023 | Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured… | |||
| CVE-2023-46252 | 0.00 | — | 0.00 | Nov 7, 2023 | Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting (XSS) vulnerability. The editor-sdk.js file defines three different class-like functions, which… | |||
| CVE-2023-46744 | 0.00 | — | 0.01 | Nov 7, 2023 | Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG… | |||
| CVE-2023-46728 | 0.00 | — | 0.06 | Nov 6, 2023 | Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1.… | |||
| CVE-2023-5824 | 0.00 | — | 0.05 | Nov 3, 2023 | A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is… | |||
| CVE-2023-46724 | 0.00 | — | 0.04 | Nov 1, 2023 | Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem… | |||
| CVE-2023-3580 | 0.00 | — | 0.01 | Jul 10, 2023 | Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0. | |||
| CVE-2023-0643 | 0.00 | — | 0.01 | Feb 2, 2023 | Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0. | |||
| CVE-2023-0642 | 0.00 | — | 0.00 | Feb 2, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0. | |||
| CVE-2022-41318 | 0.00 | — | 0.03 | Dec 25, 2022 | A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these… | |||
| CVE-2022-41317 | 0.00 | — | 0.02 | Dec 25, 2022 | An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7. | |||
| CVE-2021-46784 | 0.00 | — | 0.04 | Jul 17, 2022 | In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses. | |||
| CVE-2021-41611 | 0.00 | — | 0.03 | Oct 18, 2021 | An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of… | |||
| CVE-2021-28651 | 0.00 | — | 0.07 | May 27, 2021 | An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that… | |||
| CVE-2021-31808 | 0.00 | — | 0.05 | May 27, 2021 | An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this. | |||
| CVE-2020-25097 | 0.00 | — | 0.08 | Mar 19, 2021 | An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace… | |||
| CVE-2020-15811 | 0.00 | — | 0.04 | Sep 2, 2020 | An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local… | |||
| CVE-2020-15810 | 0.00 | — | 0.03 | Sep 2, 2020 | An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local… | |||
| CVE-2020-14058 | 0.00 | — | 0.03 | Jun 30, 2020 | An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS.… | |||
| CVE-2020-14059 | 0.00 | — | 0.04 | Jun 30, 2020 | An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list. | |||
| CVE-2019-12520 | 0.00 | — | 0.04 | Apr 15, 2020 | An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the… | |||
| CVE-2019-12522 | 0.00 | — | 0.00 | Apr 15, 2020 | An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has… | |||
| CVE-2019-12521 | 0.00 | — | 0.06 | Apr 15, 2020 | An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for… | |||
| CVE-2019-12524 | 0.00 | — | 0.04 | Apr 15, 2020 | An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the… | |||
| CVE-2019-18860 | 0.00 | — | 0.06 | Mar 20, 2020 | Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi. | |||
| CVE-2020-8517 | 0.00 | — | 0.07 | Feb 4, 2020 | An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process… | |||
| CVE-2020-8449 | 0.00 | — | 0.08 | Feb 4, 2020 | An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters. | |||
| CVE-2019-12523 | 0.00 | — | 0.04 | Nov 26, 2019 | An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to… | |||
| CVE-2019-18676 | 0.00 | — | 0.09 | Nov 26, 2019 | An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security… | |||
| CVE-2019-18677 | 0.00 | — | 0.07 | Nov 26, 2019 | An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins… | |||
| CVE-2019-18678 | 0.00 | — | 0.11 | Nov 26, 2019 | An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid)… | |||
| CVE-2019-18679 | 0.00 | — | 0.41 | Nov 26, 2019 | An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation.… | |||
| CVE-2018-19131 | 0.00 | — | 0.03 | Nov 9, 2018 | Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors. | |||
| CVE-2018-19132 | 0.00 | — | 0.06 | Nov 9, 2018 | Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet. | |||
| CVE-2015-0881 | 0.00 | — | 0.05 | Feb 20, 2015 | CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response. | |||
| CVE-2009-0801 | 0.00 | — | 0.03 | Mar 4, 2009 | Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted… | |||
| CVE-2008-1612 | 0.00 | — | 0.02 | Apr 1, 2008 | The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for… | |||
| CVE-2005-3258 | 0.00 | — | 0.02 | Oct 20, 2005 | The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses. | |||
| CVE-2005-2917 | 0.00 | — | 0.03 | Sep 30, 2005 | Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart). | |||
| CVE-2005-2794 | 0.00 | — | 0.03 | Sep 7, 2005 | store.c in Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (crash) via certain aborted requests that trigger an assert error related to STORE_PENDING. | |||
| CVE-2005-1519 | 0.00 | — | 0.02 | May 11, 2005 | Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups. | |||
| CVE-2005-1345 | 0.00 | — | 0.02 | May 2, 2005 | Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator. | |||
| CVE-2005-0194 | 0.00 | — | 0.05 | May 2, 2005 | Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator… | |||
| CVE-2005-0626 | 0.00 | — | 0.01 | Mar 8, 2005 | Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. | |||
| CVE-2004-2654 | 0.00 | — | 0.02 | Dec 31, 2004 | The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference. NOTE: in a followup advisory, a researcher claimed that… | |||
| CVE-2002-0714 | 0.00 | — | 0.03 | Jul 26, 2002 | FTP proxy in Squid before 2.4.STABLE6 does not compare the IP addresses of control and data connections with the FTP server, which allows remote attackers to bypass firewall rules or spoof FTP server responses. | |||
| CVE-2002-0713 | 0.00 | — | 0.06 | Jul 26, 2002 | Buffer overflows in Squid before 2.4.STABLE6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code (1) via the MSNT auth helper (msnt_auth) when using denyusers or allowusers files, (2) via the gopher client, or (3) via the FTP server… | |||
| CVE-2002-0715 | 0.00 | — | 0.02 | Jul 26, 2002 | Vulnerability in Squid before 2.4.STABLE6 related to proxy authentication credentials may allow remote web sites to obtain the user's proxy login and password. | |||
| CVE-2002-0067 | 0.00 | — | 0.04 | Mar 8, 2002 | Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions. |
- CVE-2023-46857Dec 7, 2023risk 0.00cvss —epss 0.01
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is…
- CVE-2023-49288Dec 4, 2023risk 0.00cvss —epss 0.05
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured…
- CVE-2023-46252Nov 7, 2023risk 0.00cvss —epss 0.00
Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting (XSS) vulnerability. The editor-sdk.js file defines three different class-like functions, which…
- CVE-2023-46744Nov 7, 2023risk 0.00cvss —epss 0.01
Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG…
- CVE-2023-46728Nov 6, 2023risk 0.00cvss —epss 0.06
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1.…
- CVE-2023-5824Nov 3, 2023risk 0.00cvss —epss 0.05
A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is…
- CVE-2023-46724Nov 1, 2023risk 0.00cvss —epss 0.04
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem…
- CVE-2023-3580Jul 10, 2023risk 0.00cvss —epss 0.01
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.
- CVE-2023-0643Feb 2, 2023risk 0.00cvss —epss 0.01
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.
- CVE-2023-0642Feb 2, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0.
- CVE-2022-41318Dec 25, 2022risk 0.00cvss —epss 0.03
A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these…
- CVE-2022-41317Dec 25, 2022risk 0.00cvss —epss 0.02
An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.
- CVE-2021-46784Jul 17, 2022risk 0.00cvss —epss 0.04
In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
- CVE-2021-41611Oct 18, 2021risk 0.00cvss —epss 0.03
An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of…
- CVE-2021-28651May 27, 2021risk 0.00cvss —epss 0.07
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that…
- CVE-2021-31808May 27, 2021risk 0.00cvss —epss 0.05
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
- CVE-2020-25097Mar 19, 2021risk 0.00cvss —epss 0.08
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace…
- CVE-2020-15811Sep 2, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local…
- CVE-2020-15810Sep 2, 2020risk 0.00cvss —epss 0.03
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local…
- CVE-2020-14058Jun 30, 2020risk 0.00cvss —epss 0.03
An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS.…
- CVE-2020-14059Jun 30, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list.
- CVE-2019-12520Apr 15, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the…
- CVE-2019-12522Apr 15, 2020risk 0.00cvss —epss 0.00
An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has…
- CVE-2019-12521Apr 15, 2020risk 0.00cvss —epss 0.06
An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for…
- CVE-2019-12524Apr 15, 2020risk 0.00cvss —epss 0.04
An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the…
- CVE-2019-18860Mar 20, 2020risk 0.00cvss —epss 0.06
Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.
- CVE-2020-8517Feb 4, 2020risk 0.00cvss —epss 0.07
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process…
- CVE-2020-8449Feb 4, 2020risk 0.00cvss —epss 0.08
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters.
- CVE-2019-12523Nov 26, 2019risk 0.00cvss —epss 0.04
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to…
- CVE-2019-18676Nov 26, 2019risk 0.00cvss —epss 0.09
An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security…
- CVE-2019-18677Nov 26, 2019risk 0.00cvss —epss 0.07
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins…
- CVE-2019-18678Nov 26, 2019risk 0.00cvss —epss 0.11
An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid)…
- CVE-2019-18679Nov 26, 2019risk 0.00cvss —epss 0.41
An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation.…
- CVE-2018-19131Nov 9, 2018risk 0.00cvss —epss 0.03
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
- CVE-2018-19132Nov 9, 2018risk 0.00cvss —epss 0.06
Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet.
- CVE-2015-0881Feb 20, 2015risk 0.00cvss —epss 0.05
CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response.
- CVE-2009-0801Mar 4, 2009risk 0.00cvss —epss 0.03
Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted…
- CVE-2008-1612Apr 1, 2008risk 0.00cvss —epss 0.02
The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for…
- CVE-2005-3258Oct 20, 2005risk 0.00cvss —epss 0.02
The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses.
- CVE-2005-2917Sep 30, 2005risk 0.00cvss —epss 0.03
Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart).
- CVE-2005-2794Sep 7, 2005risk 0.00cvss —epss 0.03
store.c in Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (crash) via certain aborted requests that trigger an assert error related to STORE_PENDING.
- CVE-2005-1519May 11, 2005risk 0.00cvss —epss 0.02
Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups.
- CVE-2005-1345May 2, 2005risk 0.00cvss —epss 0.02
Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator.
- CVE-2005-0194May 2, 2005risk 0.00cvss —epss 0.05
Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator…
- CVE-2005-0626Mar 8, 2005risk 0.00cvss —epss 0.01
Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies.
- CVE-2004-2654Dec 31, 2004risk 0.00cvss —epss 0.02
The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference. NOTE: in a followup advisory, a researcher claimed that…
- CVE-2002-0714Jul 26, 2002risk 0.00cvss —epss 0.03
FTP proxy in Squid before 2.4.STABLE6 does not compare the IP addresses of control and data connections with the FTP server, which allows remote attackers to bypass firewall rules or spoof FTP server responses.
- CVE-2002-0713Jul 26, 2002risk 0.00cvss —epss 0.06
Buffer overflows in Squid before 2.4.STABLE6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code (1) via the MSNT auth helper (msnt_auth) when using denyusers or allowusers files, (2) via the gopher client, or (3) via the FTP server…
- CVE-2002-0715Jul 26, 2002risk 0.00cvss —epss 0.02
Vulnerability in Squid before 2.4.STABLE6 related to proxy authentication credentials may allow remote web sites to obtain the user's proxy login and password.
- CVE-2002-0067Mar 8, 2002risk 0.00cvss —epss 0.04
Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions.
Page 3 of 4