Описание
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
A Cross-Site Scripting vulnerability has been discovered in squid in the way X.509 certificates fields are displayed in some error pages. An attacker who can control the certificate of the origin content server may use this flaw to inject scripting code in the squid generated page, which is executed on the client's browser.
Меры по смягчению последствий
Remove %D error page macro from ERR_SECURE_CONNECT_FAIL pages found under /usr/share/squid/errors/ and any custom error pages.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | squid | Not affected | ||
| Red Hat Enterprise Linux 6 | squid | Will not fix | ||
| Red Hat Enterprise Linux 6 | squid34 | Will not fix | ||
| Red Hat Enterprise Linux 7 | squid | Will not fix | ||
| Red Hat Enterprise Linux 8 | squid | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.6 Medium
CVSS3
Связанные уязвимости
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S ...
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
EPSS
5.6 Medium
CVSS3