AttackerKBAKB:534461EC-0E7C-42E7-9D2E-382220B30BCECVE-2018-19131
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Squid before 4.4 has XSS via a crafted X.509 certificate during HTTP(S) error page generation for certificate errors.
Recent assessments:
travisbgreen at April 21, 2020 10:49pm UTC reported:
Bottom line: The commonName property of the certificate that signs the βfailed to connect securelyβ error page within Squid gets rendered as HTML on the client/victim side.
In order to successfully exploit this XSS one would need to write a malicious .pem file in the location specified by squid.conf or modify squid.conf to point to an existing malicious .pem file.
If I had root level access to the filesystem on a squid box, serving a XSS from the error page would not be as useful as any number of other things that could be done. Similarly story if you MITM the victim.
PoC @ <https://github.com/JonathanWilbur/CVE-2018-19131>
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 1
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N