Search for packages
| purl | pkg:deb/debian/awstats@6.4-1sarge3 |
| Next non-vulnerable version | 7.8-3+deb12u2 |
| Latest non-vulnerable version | 8.0-5 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-48cr-bq8t-fqd3
Aliases: CVE-2006-3681 |
Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter, (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) hostfilter, or (6) hostfilterex parameters, a different set of vectors than CVE-2006-1945. |
Affected by 11 other vulnerabilities. |
|
VCID-4mn4-kwvz-zfdr
Aliases: CVE-2008-3714 |
awstats: Cross-site scripting (XSS) vulnerability |
Affected by 9 other vulnerabilities. |
|
VCID-6241-45ms-x3ec
Aliases: CVE-2025-63261 |
AWStats 8.0 is vulnerable to Command Injection via the open function |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-7896-2ufa-kqd1
Aliases: CVE-2006-3682 |
awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters. |
Affected by 11 other vulnerabilities. |
|
VCID-9xag-6wej-6bgk
Aliases: CVE-2010-4369 |
Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory. |
Affected by 6 other vulnerabilities. |
|
VCID-fxrv-1bju-qkgm
Aliases: CVE-2020-35176 |
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. |
Affected by 1 other vulnerability. |
|
VCID-gtjm-xaua-5bhm
Aliases: CVE-2006-2644 |
AWStats 6.5, and possibly other versions, allows remote authenticated users to execute arbitrary code by using the configdir parameter to awstats.pl to upload a configuration file whose name contains shell metacharacters, then access that file using the LogFile directive. |
Affected by 11 other vulnerabilities. |
|
VCID-kfb9-pts3-dffa
Aliases: CVE-2012-4547 |
Unspecified vulnerability in awredir.pl in AWStats before 7.1 has unknown impact and attack vectors. |
Affected by 5 other vulnerabilities. |
|
VCID-kspy-ctky-ykav
Aliases: CVE-2009-5020 |
Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
Affected by 6 other vulnerabilities. |
|
VCID-mds9-fb3d-9qgt
Aliases: CVE-2010-4367 |
awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server. |
Affected by 6 other vulnerabilities. |
|
VCID-pbfq-fen2-dkhs
Aliases: CVE-2008-5080 |
awstats: incomplete fix for CVE-2008-3714 XSS issue |
Affected by 9 other vulnerabilities. |
|
VCID-qabb-bgqe-afdd
Aliases: CVE-2017-1000501 |
Multiple vulnerabilities have been found in AWStats, the worst of which could result in the arbitrary execution of code. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-s1bj-dpp3-9ubt
Aliases: CVE-2022-46391 |
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. |
Affected by 1 other vulnerability. |
|
VCID-sy25-mjxc-47bn
Aliases: CVE-2006-1945 |
AWStats contains a bug in the sanitization of the input parameters which can lead to the remote execution of arbitrary code. |
Affected by 11 other vulnerabilities. |
|
VCID-vqyg-xfyk-h3e5
Aliases: CVE-2020-29600 |
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. |
Affected by 1 other vulnerability. |
|
VCID-wezb-5vk9-1qdf
Aliases: CVE-2005-1527 |
Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call. |
Affected by 11 other vulnerabilities. |
|
VCID-xwvz-ewcf-x7fm
Aliases: CVE-2006-2237 |
AWStats contains a bug in the sanitization of the input parameters which can lead to the remote execution of arbitrary code. |
Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-53p4-ugqm-uyak | awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter. |
CVE-2005-0438
|
| VCID-9zcz-5x16-z3hf | awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. |
CVE-2005-0363
|
| VCID-qk68-2926-uqf4 | AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl. |
CVE-2005-0116
|
| VCID-tg8y-b43c-mkfr | Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules via .. (dot dot) sequences in the loadplugin parameter. |
CVE-2005-0437
|
| VCID-ttd1-gp86-nbdx | awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters. |
CVE-2005-0362
|
| VCID-x787-wfdh-gbd4 | awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog. |
CVE-2005-0435
|
| VCID-yzfr-525e-1fha | Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter. |
CVE-2005-0436
|