{"url":"http://public2.vulnerablecode.io/api/packages/5864?format=json","purl":"pkg:deb/debian/awstats@7.2%2Bdfsg-1%2Bdeb8u1","type":"deb","namespace":"debian","name":"awstats","version":"7.2+dfsg-1+deb8u1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.8-3+deb12u2","latest_non_vulnerable_version":"7.8-3+deb12u2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59657?format=json","vulnerability_id":"VCID-21dg-q89r-gygn","summary":"AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-46391","reference_id":"","reference_type":"","scores":[{"value":"0.01003","scoring_system":"epss","scoring_elements":"0.77365","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01003","scoring_system":"epss","scoring_elements":"0.77392","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01003","scoring_system":"epss","scoring_elements":"0.77403","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01003","scoring_system":"epss","scoring_elements":"0.77393","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01003","scoring_system":"epss","scoring_elements":"0.77383","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01003","scoring_system":"epss","scoring_elements":"0.77405","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-46391"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46391","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46391"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025410","reference_id":"1025410","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025410"},{"reference_url":"https://github.com/eldy/AWStats/pull/226","reference_id":"226","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:20:05Z/"}],"url":"https://github.com/eldy/AWStats/pull/226"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GRFYH4DE3COMI3LJCOQQXA4FWOABU6Z2/","reference_id":"GRFYH4DE3COMI3LJCOQQXA4FWOABU6Z2","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:20:05Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GRFYH4DE3COMI3LJCOQQXA4FWOABU6Z2/"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00010.html","reference_id":"msg00010.html","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:20:05Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00010.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYUZIFVB4N3NK4WGNHRNXZKJITCJBJX4/","reference_id":"MYUZIFVB4N3NK4WGNHRNXZKJITCJBJX4","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-24T15:20:05Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYUZIFVB4N3NK4WGNHRNXZKJITCJBJX4/"},{"reference_url":"https://usn.ubuntu.com/5899-1/","reference_id":"USN-5899-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5899-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5867?format=json","purl":"pkg:deb/debian/awstats@7.8-2%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4bv-8sg9-dyb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.8-2%252Bdeb11u1"}],"aliases":["CVE-2022-46391"],"risk_score":2.8,"exploitability":"0.5","weighted_severity":"5.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-21dg-q89r-gygn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59647?format=json","vulnerability_id":"VCID-7jzt-1m61-cqct","summary":"Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the \"config\" and \"migrate\" parameters resulting in unauthenticated remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000501","reference_id":"","reference_type":"","scores":[{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91302","published_at":"2026-06-04T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91314","published_at":"2026-06-05T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91315","published_at":"2026-06-06T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91311","published_at":"2026-06-07T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91307","published_at":"2026-06-08T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91322","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000501"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885835","reference_id":"885835","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885835"},{"reference_url":"https://security.gentoo.org/glsa/202007-37","reference_id":"GLSA-202007-37","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202007-37"},{"reference_url":"https://usn.ubuntu.com/3518-1/","reference_id":"USN-3518-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3518-1/"},{"reference_url":"https://usn.ubuntu.com/4953-1/","reference_id":"USN-4953-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4953-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5865?format=json","purl":"pkg:deb/debian/awstats@7.6%2Bdfsg-1%2Bdeb9u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21dg-q89r-gygn"},{"vulnerability":"VCID-7jzt-1m61-cqct"},{"vulnerability":"VCID-7vkx-61ah-vkda"},{"vulnerability":"VCID-x4bv-8sg9-dyb8"},{"vulnerability":"VCID-y1kf-udqd-mbhh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.6%252Bdfsg-1%252Bdeb9u1"},{"url":"http://public2.vulnerablecode.io/api/packages/5866?format=json","purl":"pkg:deb/debian/awstats@7.6%2Bdfsg-2%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21dg-q89r-gygn"},{"vulnerability":"VCID-7vkx-61ah-vkda"},{"vulnerability":"VCID-x4bv-8sg9-dyb8"},{"vulnerability":"VCID-y1kf-udqd-mbhh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.6%252Bdfsg-2%252Bdeb10u1"}],"aliases":["CVE-2017-1000501"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jzt-1m61-cqct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59652?format=json","vulnerability_id":"VCID-7vkx-61ah-vkda","summary":"In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-29600","reference_id":"","reference_type":"","scores":[{"value":"0.01743","scoring_system":"epss","scoring_elements":"0.8287","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01743","scoring_system":"epss","scoring_elements":"0.82896","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01743","scoring_system":"epss","scoring_elements":"0.82893","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01743","scoring_system":"epss","scoring_elements":"0.82886","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01743","scoring_system":"epss","scoring_elements":"0.82899","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-29600"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29600","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29600"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469","reference_id":"891469","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469"},{"reference_url":"https://usn.ubuntu.com/4953-1/","reference_id":"USN-4953-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4953-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5867?format=json","purl":"pkg:deb/debian/awstats@7.8-2%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4bv-8sg9-dyb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.8-2%252Bdeb11u1"}],"aliases":["CVE-2020-29600"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7vkx-61ah-vkda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59660?format=json","vulnerability_id":"VCID-x4bv-8sg9-dyb8","summary":"AWStats 8.0 is vulnerable to Command Injection via the open function","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-63261","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.2161","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21717","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21705","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.2166","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21602","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-63261"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-63261","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-63261"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131878","reference_id":"1131878","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131878"},{"reference_url":"https://github.com/eldy/AWStats/blob/develop/wwwroot/cgi-bin/awstats.pl","reference_id":"awstats.pl","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-23T14:09:17Z/"}],"url":"https://github.com/eldy/AWStats/blob/develop/wwwroot/cgi-bin/awstats.pl"},{"reference_url":"https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf","reference_id":"PTT-2025-021-Code-Execution-in-AWStats.pdf","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-23T14:09:17Z/"}],"url":"https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1014400?format=json","purl":"pkg:deb/debian/awstats@7.8-3%2Bdeb12u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.8-3%252Bdeb12u2"}],"aliases":["CVE-2025-63261"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"7.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x4bv-8sg9-dyb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5628?format=json","vulnerability_id":"VCID-y1kf-udqd-mbhh","summary":"directory traversal","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-35176","reference_id":"","reference_type":"","scores":[{"value":"0.00937","scoring_system":"epss","scoring_elements":"0.76603","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00937","scoring_system":"epss","scoring_elements":"0.76568","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00937","scoring_system":"epss","scoring_elements":"0.76597","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00937","scoring_system":"epss","scoring_elements":"0.76604","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00937","scoring_system":"epss","scoring_elements":"0.76592","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00937","scoring_system":"epss","scoring_elements":"0.76582","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-35176"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35176"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977190","reference_id":"977190","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977190"},{"reference_url":"https://security.archlinux.org/ASA-202103-15","reference_id":"ASA-202103-15","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202103-15"},{"reference_url":"https://security.archlinux.org/AVG-1356","reference_id":"AVG-1356","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1356"},{"reference_url":"https://usn.ubuntu.com/4953-1/","reference_id":"USN-4953-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4953-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5867?format=json","purl":"pkg:deb/debian/awstats@7.8-2%2Bdeb11u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-x4bv-8sg9-dyb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.8-2%252Bdeb11u1"}],"aliases":["CVE-2020-35176"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y1kf-udqd-mbhh"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59647?format=json","vulnerability_id":"VCID-7jzt-1m61-cqct","summary":"Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the \"config\" and \"migrate\" parameters resulting in unauthenticated remote code execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000501","reference_id":"","reference_type":"","scores":[{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91302","published_at":"2026-06-04T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91314","published_at":"2026-06-05T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91315","published_at":"2026-06-06T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91311","published_at":"2026-06-07T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91307","published_at":"2026-06-08T12:55:00Z"},{"value":"0.06548","scoring_system":"epss","scoring_elements":"0.91322","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000501"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000501"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885835","reference_id":"885835","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885835"},{"reference_url":"https://security.gentoo.org/glsa/202007-37","reference_id":"GLSA-202007-37","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202007-37"},{"reference_url":"https://usn.ubuntu.com/3518-1/","reference_id":"USN-3518-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3518-1/"},{"reference_url":"https://usn.ubuntu.com/4953-1/","reference_id":"USN-4953-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4953-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5864?format=json","purl":"pkg:deb/debian/awstats@7.2%2Bdfsg-1%2Bdeb8u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21dg-q89r-gygn"},{"vulnerability":"VCID-7jzt-1m61-cqct"},{"vulnerability":"VCID-7vkx-61ah-vkda"},{"vulnerability":"VCID-x4bv-8sg9-dyb8"},{"vulnerability":"VCID-y1kf-udqd-mbhh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.2%252Bdfsg-1%252Bdeb8u1"},{"url":"http://public2.vulnerablecode.io/api/packages/5865?format=json","purl":"pkg:deb/debian/awstats@7.6%2Bdfsg-1%2Bdeb9u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21dg-q89r-gygn"},{"vulnerability":"VCID-7jzt-1m61-cqct"},{"vulnerability":"VCID-7vkx-61ah-vkda"},{"vulnerability":"VCID-x4bv-8sg9-dyb8"},{"vulnerability":"VCID-y1kf-udqd-mbhh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.6%252Bdfsg-1%252Bdeb9u1"},{"url":"http://public2.vulnerablecode.io/api/packages/5866?format=json","purl":"pkg:deb/debian/awstats@7.6%2Bdfsg-2%2Bdeb10u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-21dg-q89r-gygn"},{"vulnerability":"VCID-7vkx-61ah-vkda"},{"vulnerability":"VCID-x4bv-8sg9-dyb8"},{"vulnerability":"VCID-y1kf-udqd-mbhh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.6%252Bdfsg-2%252Bdeb10u1"}],"aliases":["CVE-2017-1000501"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7jzt-1m61-cqct"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/awstats@7.2%252Bdfsg-1%252Bdeb8u1"}