VYPR

Vendor CVEs

Squidex

All CVEs

155 total · sorted by risk
  • CVE-2023-46857Dec 7, 2023
    risk 0.00cvss epss 0.01

    Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is…

  • CVE-2023-49288Dec 4, 2023
    risk 0.00cvss epss 0.05

    Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Affected versions of squid are subject to a a Use-After-Free bug which can lead to a Denial of Service attack via collapsed forwarding. All versions of Squid from 3.5 up to and including 5.9 configured…

  • CVE-2023-46252Nov 7, 2023
    risk 0.00cvss epss 0.00

    Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting (XSS) vulnerability. The editor-sdk.js file defines three different class-like functions, which…

  • CVE-2023-46744Nov 7, 2023
    risk 0.00cvss epss 0.01

    Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG…

  • CVE-2023-46728Nov 6, 2023
    risk 0.00cvss epss 0.06

    Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1.…

  • CVE-2023-5824Nov 3, 2023
    risk 0.00cvss epss 0.05

    A flaw was found in Squid. The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is…

  • CVE-2023-46724Nov 1, 2023
    risk 0.00cvss epss 0.04

    Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem…

  • CVE-2023-3580Jul 10, 2023
    risk 0.00cvss epss 0.01

    Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.

  • CVE-2023-0643Feb 2, 2023
    risk 0.00cvss epss 0.01

    Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.

  • CVE-2023-0642Feb 2, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0.

  • CVE-2022-41318Dec 25, 2022
    risk 0.00cvss epss 0.03

    A buffer over-read was discovered in libntlmauth in Squid 2.5 through 5.6. Due to incorrect integer-overflow protection, the SSPI and SMB authentication helpers are vulnerable to reading unintended memory locations. In some configurations, cleartext credentials from these…

  • CVE-2022-41317Dec 25, 2022
    risk 0.00cvss epss 0.02

    An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.

  • CVE-2021-46784Jul 17, 2022
    risk 0.00cvss epss 0.04

    In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

  • CVE-2021-41611Oct 18, 2021
    risk 0.00cvss epss 0.03

    An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of…

  • CVE-2021-28651May 27, 2021
    risk 0.00cvss epss 0.07

    An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that…

  • CVE-2021-31808May 27, 2021
    risk 0.00cvss epss 0.05

    An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.

  • CVE-2020-25097Mar 19, 2021
    risk 0.00cvss epss 0.08

    An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace…

  • CVE-2020-15811Sep 2, 2020
    risk 0.00cvss epss 0.04

    An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local…

  • CVE-2020-15810Sep 2, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local…

  • CVE-2020-14058Jun 30, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS.…

  • CVE-2020-14059Jun 30, 2020
    risk 0.00cvss epss 0.04

    An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop ABA problem during access to the memory page/slot management list.

  • CVE-2019-12520Apr 15, 2020
    risk 0.00cvss epss 0.04

    An issue was discovered in Squid through 4.7 and 5. When receiving a request, Squid checks its cache to see if it can serve up a response. It does this by making a MD5 hash of the absolute URL of the request. If found, it servers the request. The absolute URL can include the…

  • CVE-2019-12522Apr 15, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in Squid through 4.7. When Squid is run as root, it spawns its child processes as a lesser user, by default the user nobody. This is done via the leave_suid call. leave_suid leaves the Saved UID as 0. This makes it trivial for an attacker who has…

  • CVE-2019-12521Apr 15, 2020
    risk 0.00cvss epss 0.06

    An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for…

  • CVE-2019-12524Apr 15, 2020
    risk 0.00cvss epss 0.04

    An issue was discovered in Squid through 4.7. When handling requests from users, Squid checks its rules to see if the request should be denied. Squid by default comes with rules to block access to the Cache Manager, which serves detailed server information meant for the…

  • CVE-2019-18860Mar 20, 2020
    risk 0.00cvss epss 0.06

    Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.

  • CVE-2020-8517Feb 4, 2020
    risk 0.00cvss epss 0.07

    An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process…

  • CVE-2020-8449Feb 4, 2020
    risk 0.00cvss epss 0.08

    An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters.

  • CVE-2019-12523Nov 26, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to…

  • CVE-2019-18676Nov 26, 2019
    risk 0.00cvss epss 0.09

    An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security…

  • CVE-2019-18677Nov 26, 2019
    risk 0.00cvss epss 0.07

    An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins…

  • CVE-2019-18678Nov 26, 2019
    risk 0.00cvss epss 0.11

    An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid)…

  • CVE-2019-18679Nov 26, 2019
    risk 0.00cvss epss 0.41

    An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to incorrect data management, it is vulnerable to information disclosure when processing HTTP Digest Authentication. Nonce tokens contain the raw byte value of a pointer that sits within heap memory allocation.…

  • CVE-2018-19131Nov 9, 2018
    risk 0.00cvss epss 0.03

    Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.

  • CVE-2018-19132Nov 9, 2018
    risk 0.00cvss epss 0.06

    Squid before 4.4, when SNMP is enabled, allows a denial of service (Memory Leak) via an SNMP packet.

  • CVE-2015-0881Feb 20, 2015
    risk 0.00cvss epss 0.05

    CRLF injection vulnerability in Squid before 3.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted header in a response.

  • CVE-2009-0801Mar 4, 2009
    risk 0.00cvss epss 0.03

    Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted…

  • CVE-2008-1612Apr 1, 2008
    risk 0.00cvss epss 0.02

    The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for…

  • CVE-2005-3258Oct 20, 2005
    risk 0.00cvss epss 0.02

    The rfc1738_do_escape function in ftp.c for Squid 2.5 STABLE11 and earlier allows remote FTP servers to cause a denial of service (segmentation fault) via certain "odd" responses.

  • CVE-2005-2917Sep 30, 2005
    risk 0.00cvss epss 0.03

    Squid 2.5.STABLE10 and earlier, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart).

  • CVE-2005-2794Sep 7, 2005
    risk 0.00cvss epss 0.03

    store.c in Squid 2.5.STABLE10 and earlier allows remote attackers to cause a denial of service (crash) via certain aborted requests that trigger an assert error related to STORE_PENDING.

  • CVE-2005-1519May 11, 2005
    risk 0.00cvss epss 0.02

    Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups.

  • CVE-2005-1345May 2, 2005
    risk 0.00cvss epss 0.02

    Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator.

  • CVE-2005-0194May 2, 2005
    risk 0.00cvss epss 0.05

    Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator…

  • CVE-2005-0626Mar 8, 2005
    risk 0.00cvss epss 0.01

    Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies.

  • CVE-2004-2654Dec 31, 2004
    risk 0.00cvss epss 0.02

    The clientAbortBody function in client_side.c in Squid Web Proxy Cache before 2.6 STABLE6 allows remote attackers to cause a denial of service (segmentation fault) via unspecified vectors that trigger a null dereference. NOTE: in a followup advisory, a researcher claimed that…

  • CVE-2002-0714Jul 26, 2002
    risk 0.00cvss epss 0.03

    FTP proxy in Squid before 2.4.STABLE6 does not compare the IP addresses of control and data connections with the FTP server, which allows remote attackers to bypass firewall rules or spoof FTP server responses.

  • CVE-2002-0713Jul 26, 2002
    risk 0.00cvss epss 0.06

    Buffer overflows in Squid before 2.4.STABLE6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code (1) via the MSNT auth helper (msnt_auth) when using denyusers or allowusers files, (2) via the gopher client, or (3) via the FTP server…

  • CVE-2002-0715Jul 26, 2002
    risk 0.00cvss epss 0.02

    Vulnerability in Squid before 2.4.STABLE6 related to proxy authentication credentials may allow remote web sites to obtain the user's proxy login and password.

  • CVE-2002-0067Mar 8, 2002
    risk 0.00cvss epss 0.04

    Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions.