Awstats
By the Year
In 2024 there have been 0 vulnerabilities in Awstats . Awstats did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 6.10 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 7.55 |
| 2019 | 0 | 0.00 |
| 2018 | 2 | 7.55 |
It may take a day or so for new Awstats vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Awstats Security Vulnerabilities
AWStats 7.x through 7.8
CVE-2022-46391
6.1 - Medium
- December 04, 2022
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.
XSS
In AWStats through 7.8
CVE-2020-35176
5.3 - Medium
- December 12, 2020
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600.
Directory traversal
In AWStats through 7.7
CVE-2020-29600
9.8 - Critical
- December 07, 2020
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
Directory traversal
A Full Path Disclosure vulnerability in AWStats through 7.6
CVE-2018-10245
5.3 - Medium
- April 20, 2018
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters.
Information Disclosure
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
CVE-2017-1000501
9.8 - Critical
- January 03, 2018
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
Directory traversal
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which
CVE-2008-5080
- December 03, 2008
awstats.pl in AWStats 6.8 and earlier does not properly remove quote characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.
XSS
Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter
CVE-2005-1527
- August 15, 2005
Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.
Code Injection
