In Squid before 4.9, when certain web browsers are used, mishandles HTML in the host parameter to cachemgr.cgi which could result in squid behaving in unsecure way
External References: https://github.com/squid-cache/squid/pull/504
Mitigation: The cachemgr.cgi script is not used by default. If you've set this up manually and are worried about this issue, remove it from your server.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-18860
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743