Description
Privoxy before 3.0.21 does not properly handle Proxy-Authenticate and Proxy-Authorization headers in the client-server data stream, which makes it easier for remote HTTP servers to spoof the intended proxy service via a 407 (aka Proxy Authentication Required) HTTP status code.
Exploits (1)
exploitdb
WRITEUP
VERIFIED
by Chris John Riley · textwebappsphp
https://www.exploit-db.com/exploits/38377
References (3)
Core 3
Core References
Exploit x_refsource_misc
http://blog.c22.cc/2013/03/11/privoxy-proxy-authentication-credential-exposure-cve-2013-2503/
Product x_refsource_confirm
http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-03/msg00118.html
Scores
EPSS
0.0348
EPSS Percentile
87.6%
Details
CWE
CWE-20
Status
published
Products (29)
privoxy/privoxy
2.9.0 pre-alpha
privoxy/privoxy
2.9.1 pre-alpha
privoxy/privoxy
2.9.2 pre-alpha
privoxy/privoxy
2.9.3 pre-alpha
privoxy/privoxy
2.9.11 alpha (3 CPE variants)
privoxy/privoxy
2.9.12 beta
privoxy/privoxy
2.9.13 beta
privoxy/privoxy
2.9.14 beta
privoxy/privoxy
2.9.16
privoxy/privoxy
2.9.18
... and 19 more
Published
Mar 11, 2013
Tracked Since
Feb 18, 2026