Published: 03/12/2008 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

awstats.pl in AWStats 6.8 and previous versions does not properly remove quote characters, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via the query_string parameter. NOTE: this issue exists because of an incomplete fix for CVE-2008-3714.

Vulnerable Product	Search on Vulmon	Subscribe to Product
awstats awstats 5.7
awstats awstats 6.3
awstats awstats 6.5
awstats awstats 5.9
awstats awstats 6.1
awstats awstats 6.2
awstats awstats 5.0
awstats awstats 5.2
awstats awstats 5.6
awstats awstats 5.1
awstats awstats
awstats awstats 6.0
awstats awstats 5.4
awstats awstats 5.3
awstats awstats 5.8
awstats awstats 6.7
awstats awstats 6.6
awstats awstats 5.5
awstats awstats 6.4

Debian Bug report logs - #495432 XSS in awstats < 69beta (upstream bug 2001151) Package: awstats; Maintainer for awstats is Debian QA Group <packages@qadebianorg>; Source for awstats is src:awstats (PTS, buildd, popcon) Reported by: Andreas Henriksson <andreas@fatalse> Date: Sun, 17 Aug 2008 11:30:01 UTC Seve ...

Morgan Todd discovered that AWStats did not correctly strip quotes from certain parameters, allowing for an XSS attack when running as a CGI If a user was tricked by a remote attacker into following a specially crafted URL, the user’s authentication information could be exposed for the domain where AWStats was hosted ...

CWE-79 https://bugzilla.redhat.com/show_bug.cgi?id=474396 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432#21 http://secunia.com/advisories/33002 http://www.ubuntu.com/usn/usn-686-1 https://exchange.xforce.ibmcloud.com/vulnerabilities/47116 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495432 https://usn.ubuntu.com/686-1/https://nvd.nist.gov

CVE-2008-5080

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect