CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-46391
https://notcve.org/view.php?id=CVE-2022-46391
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. AWStats 7.x a 7.8 permite XSS en el complemento hostinfo debido a que se imprime una respuesta de Net::XWhois sin las comprobaciones adecuadas. • https://github.com/eldy/AWStats/pull/226 https://lists.debian.org/debian-lts-announce/2022/12/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GRFYH4DE3COMI3LJCOQQXA4FWOABU6Z2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYUZIFVB4N3NK4WGNHRNXZKJITCJBJX4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-35176
https://notcve.org/view.php?id=CVE-2020-35176
In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501 and CVE-2020-29600. En AWStats versiones hasta 7.8, cgi-bin/awstats.pl?config= acepta un nombre de ruta absoluto parcial (omitiendo el inicio /etc), aunque solo estaba destinado a leer un archivo en el formato /etc/awstats/awstats.conf. • https://github.com/eldy/awstats/issues/195 https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHYCKLW5VPM6KP2WZW6DCCVHVBG7YCW • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 2CVE-2020-29600
https://notcve.org/view.php?id=CVE-2020-29600
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501. En AWStats versiones hasta 7.7, cgi-bin/awstats.pl?config= acepta un nombre de ruta absoluto, aunque su intención es que solo lea un archivo en el formato /etc/awstats/awstats.conf. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891469 https://github.com/eldy/awstats/issues/90 https://lists.debian.org/debian-lts-announce/2020/12/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/47QZWKSRZYZFESYTLSW7A6KVKOOPL7IV • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10245
https://notcve.org/view.php?id=CVE-2018-10245
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated, obtaining the full path of the server, a similar issue to CVE-2006-3682. The attack can, for example, use the awstats.pl framename and update parameters. Una vulnerabilidad de divulgación de ruta completa en AWStats, hasta la versión 7.6, permite que atacantes remotos sepan dónde está alojado el archivo de configuración, lo que les permite obtener la ruta completa del servidor. Este problema es similar a CVE-2006-3682. El ataque puede, por ejemplo, emplear los parámetros framename y update en awstats.pl. • https://github.com/theyiyibest/AWStatsFullPathDisclosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 8%CPEs: 4EXPL: 0CVE-2017-1000501
https://notcve.org/view.php?id=CVE-2017-1000501
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution. Las versiones 7.6 y anteriores de Awstats son vulnerables a un error de salto de directorio en la manipulación de los parámetros "config" y "migrate", lo que resulta en la ejecución remota de código sin autenticar. • http://www.awstats.org https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651 https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899 https://lists.debian.org/debian-lts-announce/2018/01/msg00012.html https://security.gentoo.org/glsa/202007-37 https://www.debian.org/security/2018/dsa-4092 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •