) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:awstats:awstats:6.8:beta:*:*:*:*:*:*
- CPE Name Search: true
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2020-35176 |
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. Published: December 11, 2020; 7:15:12 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
| CVE-2020-29600 |
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. Published: December 07, 2020; 3:15:12 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2018-10245 |
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters. Published: April 20, 2018; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
| CVE-2017-1000501 |
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. Published: January 03, 2018; 10:29:00 AM -0500 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2010-4369 |
Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory. Published: December 02, 2010; 11:22:21 AM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 6.4 MEDIUM |
| CVE-2010-4368 |
awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname. Published: December 02, 2010; 11:22:21 AM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 7.5 HIGH |
| CVE-2010-4367 |
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server. Published: December 02, 2010; 11:22:21 AM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 7.5 HIGH |
| CVE-2009-5020 |
Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. Published: December 02, 2010; 11:22:20 AM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 5.8 MEDIUM |
| CVE-2008-5080 |
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714. Published: December 03, 2008; 1:30:00 PM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 4.3 MEDIUM |
| CVE-2008-3714 |
Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.8 allows remote attackers to inject arbitrary web script or HTML via the query_string, a different vulnerability than CVE-2006-3681 and CVE-2006-1945. Published: August 19, 2008; 3:41:00 PM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 4.3 MEDIUM |