In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501.
Max CVSS
9.8
EPSS Score
0.23%
Published
2020-12-07
Updated
2021-03-04
Awstats version 7.6 and earlier is vulnerable to a path traversal flaw in the handling of the "config" and "migrate" parameters resulting in unauthenticated remote code execution.
Max CVSS
9.8
EPSS Score
8.27%
Published
2018-01-03
Updated
2020-07-27
2 vulnerabilities found