Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Awstats
(Awstats)| Repositories | https://github.com/eldy/awstats |
| #Vulnerabilities | 25 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2005-08-15 | CVE-2005-1527 | Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call. | Awstats, Ubuntu_linux, Debian_linux | N/A | ||
| 2008-12-03 | CVE-2008-5080 | awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714. | Awstats | N/A | ||
| 2020-12-07 | CVE-2020-29600 | In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. | Awstats, Debian_linux, Fedora | 9.8 | ||
| 2020-12-12 | CVE-2020-35176 | In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. | Awstats, Debian_linux, Fedora | 5.3 | ||
| 2022-12-04 | CVE-2022-46391 | AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. | Awstats, Debian_linux, Fedora | 6.1 | ||
| 2018-01-03 | CVE-2017-1000501 | Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. | Awstats, Debian_linux | 9.8 | ||
| 2018-04-20 | CVE-2018-10245 | A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters. | Awstats | 5.3 | ||
| 2010-12-02 | CVE-2010-4369 | Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory. | Awstats | N/A | ||
| 2010-12-02 | CVE-2010-4368 | awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname. | Awstats | N/A | ||
| 2010-12-02 | CVE-2010-4367 | awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server. | Awstats | N/A |