Total
25 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-46391 | 3 Awstats, Debian, Fedoraproject | 3 Awstats, Debian Linux, Fedora | 2024-02-28 | N/A | 6.1 MEDIUM |
| AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. | |||||
| CVE-2020-29600 | 3 Awstats, Debian, Fedoraproject | 3 Awstats, Debian Linux, Fedora | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. | |||||
| CVE-2020-35176 | 3 Awstats, Debian, Fedoraproject | 3 Awstats, Debian Linux, Fedora | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. | |||||
| CVE-2018-10245 | 1 Awstats | 1 Awstats | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters. | |||||
| CVE-2017-1000501 | 2 Awstats, Debian | 2 Awstats, Debian Linux | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. | |||||
| CVE-2010-4369 | 1 Awstats | 1 Awstats | 2024-02-28 | 6.4 MEDIUM | N/A |
| Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory. | |||||
| CVE-2009-5020 | 1 Awstats | 1 Awstats | 2024-02-28 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2010-4367 | 1 Awstats | 1 Awstats | 2024-02-28 | 7.5 HIGH | N/A |
| awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server. | |||||
| CVE-2010-4368 | 2 Awstats, Microsoft | 2 Awstats, Windows | 2024-02-28 | 7.5 HIGH | N/A |
| awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname. | |||||
| CVE-2008-3714 | 1 Awstats | 1 Awstats | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945. | |||||
| CVE-2008-5080 | 1 Awstats | 1 Awstats | 2024-02-28 | 4.3 MEDIUM | N/A |
| awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714. | |||||
| CVE-2005-0436 | 1 Awstats | 1 Awstats | 2024-02-28 | 7.5 HIGH | N/A |
| Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter. | |||||
| CVE-2005-0116 | 1 Awstats | 1 Awstats | 2024-02-28 | 7.5 HIGH | N/A |
| AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl. | |||||
| CVE-2005-0363 | 1 Awstats | 1 Awstats | 2024-02-28 | 7.5 HIGH | N/A |
| awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. | |||||
| CVE-2005-2732 | 1 Awstats | 1 Awstats | 2024-02-28 | 5.0 MEDIUM | N/A |
| AWStats 6.4, and possibly earlier versions, allows remote attackers to obtain sensitive information via a file that does not exist in the config parameter, which reveals the path in an error message. | |||||
| CVE-2006-2237 | 1 Awstats | 1 Awstats | 2024-02-28 | 5.1 MEDIUM | N/A |
| The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter. | |||||
| CVE-2005-0437 | 1 Awstats | 1 Awstats | 2024-02-28 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules via .. (dot dot) sequences in the loadplugin parameter. | |||||
| CVE-2006-1945 | 1 Awstats | 1 Awstats | 2024-02-28 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. NOTE: this might be the same core issue as CVE-2005-2732. | |||||
| CVE-2005-0438 | 1 Awstats | 1 Awstats | 2024-02-28 | 5.0 MEDIUM | N/A |
| awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter. | |||||
| CVE-2005-0362 | 1 Awstats | 1 Awstats | 2024-02-28 | 4.6 MEDIUM | N/A |
| awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters. | |||||