Re: [CVE-2019-18860] SQUID-2023:6 Cross Site Scripting in cachemgr.cgi

[Solar Designer <solar () openwall com>]

Hi,

Thank you for posting this, but I'm afraid it is confusing:

On Wed, Nov 05, 2025 at 11:26:14AM +1300, Amos Jeffries wrote:
>     Squid Proxy Cache Security Update Advisory SQUID-2023:6

> Advisory ID:       | SQUID-2023:6 (CVE-2019-18860)
> Date:              | November 5, 2025

OK, so it's an advisory from 2023 for a CVE from 2019 (or for an issue
first disclosed in 2019), which was updated in 2025.  This brings up the
question of what those updates in 2025 are...

> Revision history:
>
>  2019-10-18 20:15:14 UTC Initial Report
>  2019-11-03 16:22:22 UTC Initial Patches Released
>  2020-03-31 11:07:35 UTC Additional Report

...but the revision history starts in 2019 (before the advisory year?!)
and ends in 2020.

I also found this advisory at:

https://github.com/squid-cache/squid/security/advisories

where it's the only one "published" (or updated?) very recently:

> SQUID-2023:6 Cross Site Scripting in cachemgr.cgi
> GHSA-xxrg-5p7x-r66h published 1 hour ago by yadij

I also see a couple of SQUID-2025 advisories, one from July 31 and the
other from October 17, 2025.  Both have Critical CVSS severities.

I don't recall you bringing them to here?  Perhaps do that now?

> SQUID-2025:2 Information Disclosure in Error handling
> GHSA-c8cc-phh7-xmxr published 3 weeks ago by yadij
> Critical
>
> SQUID-2025:1 Buffer Overflow in URN Handling
> GHSA-w4gv-vw3f-29g3 published on Jul 31 by yadij
> Critical

I think it's unreasonable to go further back now, but posting these two
recent ones should be beneficial.

Thanks,

Alexander