CVE-2019-18860: 
Squid vulnerability analysis and mitigation

CVE-2019-18860 affects Squid versions before 4.9, specifically impacting the handling of HTML in the host (hostname) parameter to cachemgr.cgi when certain web browsers are used. The vulnerability was discovered in late 2019 and publicly disclosed on March 20, 2020. This security issue affects multiple operating systems and distributions including Ubuntu, Debian, and OpenSUSE (NVD, Ubuntu Security).

The vulnerability is classified as an Improper Neutralization of Special Elements in Output Used by a Downstream Component (CWE-74). It received a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required. The vulnerability specifically relates to the mishandling of HTML in the host parameter of cachemgr.cgi (NVD).

The vulnerability allows remote attackers to potentially inject HTML or invalid characters in the hostname parameter when specific browsers are used. This could lead to potential security implications including information disclosure and possible cross-site scripting attacks (Ubuntu USN).

The vulnerability has been fixed in Squid version 4.9 and later. Multiple Linux distributions have released security updates to address this issue: Ubuntu has released fixes for versions 16.04, 18.04, 19.10, and 20.04; Debian has released updates for versions 9.0 and 10.0; and OpenSUSE has released fixes for Leap 15.1. Users are advised to upgrade to the patched versions (Ubuntu USN, Debian Security).